nanog mailing list archives
Unusual IN ANY DNS Traffic
From: "Douglas E. Warner" <dwarner () ctinetworks com>
Date: Tue, 10 May 2005 11:22:16 -0400
Since about 03:00 UTC this morning I've been seeing a huge increase in "IN ANY" requests for "msn.com.". While my name servers have not seen much, if any, "IN ANY" queries in the past, now I'm seeing ~ 50 queries/second. I'll include a tcpdump sample below. Actually, while I was writing this post the queries seem to have stopped (15:05 UTC). Is this typical of a botnet or some worm propogating? Any experience in this type of traffic would be very much appreciated. -Doug ==== tcpdump - times in EDT ==== # tcpdump -nn dst port 53 | grep 'ANY' tcpdump: listening on eth0 10:27:16.748561 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.751724 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 15+ ANY? msn.com. (25) (DF) 10:27:16.758276 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.758440 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 3+ ANY? msn.com. (25) (DF) 10:27:16.758443 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 10+ ANY? msn.com. (25) (DF) 10:27:16.759799 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.761228 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 10+ ANY? msn.com. (25) (DF) 10:27:16.762209 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.764992 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 7+ ANY? msn.com. (25) (DF) 10:27:16.765981 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.766676 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.766798 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 8+ ANY? msn.com. (25) (DF) -- Douglas E. Warner <dwarner () ctinetworks com> Network Engineer CTI Networks, Inc. http://www.ctinetworks.com +1 717 975 9000
Attachment:
_bin
Description:
Current thread:
- Unusual IN ANY DNS Traffic Douglas E. Warner (May 10)
- Re: Unusual IN ANY DNS Traffic Duane Wessels (May 10)
- Re: Unusual IN ANY DNS Traffic Douglas E. Warner (May 10)
- Message not available
- Re: Unusual IN ANY DNS Traffic Douglas E. Warner (May 11)
- Re: Unusual IN ANY DNS Traffic Douglas E. Warner (May 10)
- Re: Unusual IN ANY DNS Traffic Duane Wessels (May 10)