Re: Re[2]: Strange Traffic..

[Markus Stumpf <maex-lists-security-incidents () Space Net>]

On Fri, Nov 30, 2001 at 10:56:33AM -0600, NESTING, DAVID M (SBCSI) wrote:
> Or I guess it could be some kind of weird DoS attack.  If you can't nail
> down a possible cause on your end you might try contacting them.

I've seen similar traffic before on our DNS servers.
Seems to come from broken DNS resolvers that don't handle SERVFAIL
correctly and try over and over again at a high rate.

You may have a look at
        Title           : Observed DNS Resolution Misbehavior
        Author(s)       : P. Barber, J. Brady, M. Larson
        Filename        : draft-ietf-dnsop-bad-dns-res-00.txt
        Pages           : 14
        Date            : 13-Nov-01
    http://www.ietf.org/internet-drafts/draft-ietf-dnsop-bad-dns-res-00.txt

*> 3. Observed client misbehavior
*>      We suspect that some DNS clients (i.e., stub resolvers) and/or
*>      application programs have overzealous retransmission algorithms
*>      that are trigged by a SERVFAIL response.  Unfortunately, we have
*>      not been able to isolate particular implementations.  The authors
*>      encourage and welcome reports of DNS clients and applications with
*>      overzealous retransmission algorithms.

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
Stress is when you wake up screaming and you realize you haven't fallen
asleep yet.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com