OARC is coordinating collection of DNS packet captures to assist researchers and security groups increase our understanding of some recent DDoS attacks (against ISPrime in particular). We'd like your help. You can help out by running the following shell script on nameservers that are receiving spoofed queries:
# tcpdump-to-oarc.sh
# This script captures DNS packets related to an ongoing
# DDoS attack and uploads them to DNS-OARC.  Current
# version can be found at https://www.dns-oarc.net/node/171

# You can set FROM to whatever you like.  We just
# use it to reduce the chance of filename collisions
if [ `uname` = "Linux" ]; then
        FROM=`hostname --fqdn` 

while test `date +%Y%m%d` -lt 20090201 ; do
        tcpdump -c 100 \
            -s 0 \
            -w - \
            -n port domain and '(
                src host or
                src host or
                src host or
                src or
            )' \
        | gzip -9c \
        > _oarc.pcap.gz
        mv _oarc.pcap.gz oarc.pcap.gz
            ssh -oPubkeyAuthentication=no \
            -o StrictHostKeyChecking=no \
            ddos-200901@capture.ditl.dns-oarc.net \
            pcap $FROM \
            < oarc.pcap.gz &