DNS attack avenue-escorts.co.uk

Last night (06 Mar 2009, 18:00 – 21:00 GMT) all our DNS servers were hit by thoudands of queries per minute like these..

client xx.1.178.144#11332: query: XtrkjA.avenue-escorts.co.uk IN NS +
client xx.1.34.160#1024: query: PupxpWqaCy.avenue-escorts.co.uk IN NS +
client xx.92.137.28#32768: query: GWgtomQeLZSDdris.avenue-escorts.co.uk IN NS +
client xx.1.83.145#1025: query: nBgoxan.avenue-escorts.co.uk IN NS +

All queries were from legit clients, that were allowed recursion (so now we know, the number of zombies lurking in our network is quite large)..

I had to declare the authoritative NSs for avenue-escorts.co.uk as bogus in all our NSs, thus stopping all outgoing queries to them (ref). The queries from clients kept hitting our NSs, but since no recursion was performed the load dropped.. Queries stopped about an hour after the fix.

Anyone else seen something similar on their NSs ?

dnsgraph_day

dnsgraph_day_rr