nanog mailing list archives
Re: Todd Underwood was a little late
From: Nicholas Suan <nicks () sunbelt-software com>
Date: Wed, 16 Jun 2010 22:25:05 -0400
We've been seeing the same thing since 2010-06-10: 22:13:19.687981 IP 72.236.167.197.41789 > 72.236.167.138.domain: 38783+ A? jkl.cnr.cn. (28) 22:13:19.773076 IP 72.236.167.124.33327 > 72.236.167.138.domain: 38783+ A? i10.aliimg.com. (32) 22:13:19.855750 IP 72.236.167.169.33381 > 72.236.167.138.domain: 38783+ A? www.vrp3d.com. (31) 22:13:19.941155 IP 72.236.167.200.33005 > 72.236.167.138.domain: 38783+ A? www.51seer.com. (32) 22:13:20.026342 IP 72.236.167.141.36652 > 72.236.167.138.domain: 38783+ A? img1.kaixin001.com.cn. (39) 22:13:20.102540 IP 72.236.167.188.39525 > 72.236.167.138.domain: 38783+ A? pic.kaixin001.com.cn. (38) 22:13:20.204403 IP 72.236.167.103.37838 > 72.236.167.138.domain: 38783+ A? pic.kaixin001.com. (35) 22:13:20.791201 IP 72.236.167.186.38958 > 72.236.167.138.domain: 38783+ A? pic1.kaixin001.com. (36) 22:13:20.876527 IP 72.236.167.121.33000 > 72.236.167.138.domain: 38783+ A? pic1.kaixin001.com.cn. (39) 22:13:20.971393 IP 72.236.167.203.33726 > 72.236.167.138.domain: 38783+ A? logo.kaixin001.com.cn. (39) 22:13:21.051831 IP 72.236.167.120.35298 > 72.236.167.138.domain: 38783+ A? qqtest.cdn20.com. (34) 22:13:21.132215 IP 72.236.167.196.34862 > 72.236.167.138.domain: 38783+ A? upload.elle.cn. (32) 22:13:21.218372 IP 72.236.167.116.35073 > 72.236.167.138.domain: 38783+ A? www.elle.cn. (29) Spoofed, all with a TTL of 3. Given that all of the domains in question appear to have nameservers in common, I assumed someone was trying to make us participate in a DDoS attack, and started dropping all of the traffic. On Jun 16, 2010, at 9:01 PM, Jon Lewis wrote:
I just took a closer look at something odd I'd noticed several days ago. One of our DNS servers was sending crazy amounts of ARP requests for IPs in the /24 its main IP is in. What I've found is we're getting hit with DNS requests that look like they're from "typical internet traffic for someone in China" hitting this DNS server from IPs in its /24 which are currently not in use (at least on our local network). It would appear someone in China is using our IP space, presumably behind a NAT router, and they're leaking some traffic non-NAT'd. 20:53:41.361734 IP 209.208.121.66.41755 > 209.208.121.126.53: 15939+ A? ns5.z.lxdns.com. (33) 20:53:43.523210 IP 209.208.121.95.39393 > 209.208.121.126.53: 15939+ A? www.nanhutravel.com. (37) 20:53:48.411805 IP 209.208.121.66.33390 > 209.208.121.126.53: 15939+ A? test.csxm.cdn20.com. (37) 20:53:50.557680 IP 209.208.121.135.40056 > 209.208.121.126.53: 15939+ A? rextest2.lxdns.com. (36) 20:53:56.918993 IP 209.208.121.135.37291 > 209.208.121.126.53: 15939+ A? www.51seer.com. (32) 20:54:20.033902 IP 209.208.121.95.37544 > 209.208.121.126.53: 15939+ A? image.dhgate.cdn20.com. (40) 20:54:21.900295 IP 209.208.121.66.35144 > 209.208.121.126.53: 15939+ A? static.xn-app.com. (35) 20:54:27.711853 IP 209.208.121.66.33518 > 209.208.121.126.53: 15939+ A? oa.hanhe.com. (30) 20:54:29.642938 IP 209.208.121.135.41723 > 209.208.121.126.53: 15939+ A? pic1.kaixin001.com. (36) 20:54:32.357414 IP 209.208.121.95.38564 > 209.208.121.126.53: 15939+ A? rr.snyu.com. (29) 20:54:38.901315 IP 209.208.121.95.37840 > 209.208.121.126.53: 15939+ A? edu.163.com. (29) 20:54:39.807385 IP 209.208.121.95.36069 > 209.208.121.126.53: 15939+ A? image.dhgate.cdn20.com. (40) 20:54:40.833778 IP 209.208.121.66.34949 > 209.208.121.126.53: 15939+ A? uphn.snswall.com. (34) 20:54:42.070294 IP 209.208.121.95.38405 > 209.208.121.126.53: 15939+ A? zwgk.cma.gov.cn. (33) 20:54:42.189939 IP 209.208.121.135.36637 > 209.208.121.126.53: 15939+ A? btocdn.52yeyou.com. (36) 20:54:45.767299 IP 209.208.121.95.41405 > 209.208.121.126.53: 15939+ A? img1.kaixin001.com.cn. (39) 20:54:48.595582 IP 209.208.121.66.40099 > 209.208.121.126.53: 15939+ A? rextest2.cdn20.com. (36) 20:54:49.480147 IP 209.208.121.95.42363 > 209.208.121.126.53: 15939+ A? www.dameiren.com. (34) 20:54:50.714200 IP 209.208.121.135.41497 > 209.208.121.126.53: 15939+ A? pic1.kaixin001.com.cn. (39) 20:54:54.116841 IP 209.208.121.135.36828 > 209.208.121.126.53: 15939+ A? i.jstv.com. (28) I hope they got a good deal on the IP space...and a better deal on their buggy router. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Re: Todd Underwood was a little late, (continued)
- Re: Todd Underwood was a little late Roy (Jun 16)
- Re: Todd Underwood was a little late Garrett Skjelstad (Jun 16)
- Re: Todd Underwood was a little late Brian Feeny (Jun 17)
- Re: Todd Underwood was a little late William Herrin (Jun 17)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late Chris Adams (Jun 18)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late William Herrin (Jun 18)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late William Herrin (Jun 18)
- Re: Todd Underwood was a little late Owen DeLong (Jun 17)
- Re: Todd Underwood was a little late Frank Habicht (Jun 18)
- Re: Todd Underwood was a little late Christopher Morrow (Jun 17)
- Re: Todd Underwood was a little late Todd Underwood (Jun 17)
- RE: Todd Underwood was a little late Lee Howard (Jun 18)
- Re: Todd Underwood was a little late Michael Dillon (Jun 19)
- Re: Todd Underwood was a little late deleskie (Jun 19)
- Re: Todd Underwood was a little late bmanning (Jun 19)
- RE: Todd Underwood was a little late George Bonser (Jun 20)