OARC is coordinating collection of DNS packet captures to assist researchers and security groups increase our understanding of some recent DDoS attacks (against ISPrime in particular). We'd like your help. You can help out by running the following shell script on nameservers that are receiving spoofed queries:

#!/bin/sh
#
# tcpdump-to-oarc.sh
#
# This script captures DNS packets related to an ongoing
# DDoS attack and uploads them to DNS-OARC.  Current
# version can be found at https://www.dns-oarc.net/node/171

# You can set FROM to whatever you like.  We just
# use it to reduce the chance of filename collisions
#
if [ `uname` = "Linux" ]; then
        FROM=`hostname --fqdn` 
else
        FROM=`hostname`
fi

while test `date +%Y%m%d` -lt 20090201 ; do
        tcpdump -c 100 \
            -s 0 \
            -w - \
            -n port domain and '(
                src host 72.249.127.168 or
                src host 69.64.87.156 or
                src host 72.20.3.82 or
                src 64.57.246.123 or
                src 70.86.80.98
            )' \
        | gzip -9c \
        > _oarc.pcap.gz
        mv _oarc.pcap.gz oarc.pcap.gz
        (
            ssh -oPubkeyAuthentication=no \
            -o StrictHostKeyChecking=no \
            ddos-200901@capture.ditl.dns-oarc.net \
            pcap $FROM \
            < oarc.pcap.gz &
        )
done