Re: constant flow of root queries

[ilaiy <ilaiy.e () gmail com>]

Try to block the traffic from 207.210.68.202. It looks like some kind
of webhosting company.

Try send a mail to

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-404-230-9150
OrgAbuseEmail:  abuse () gnax net

And let them know that one of there machines are giving out some
random request.

OrgName:    Global Net Access, LLC
OrgID:      GNAL-2
Address:    55 Marietta St, NW
Address:    Suite 1720
City:       Atlanta
StateProv:  GA
PostalCode: 30303
Country:    US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange:   207.210.64.0 - 207.210.127.255
CIDR:       207.210.64.0/18
NetName:    GNAXNET
NetHandle:  NET-207-210-64-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
Comment:
RegDate:    2005-04-12
Updated:    2006-01-09

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-404-230-9150
OrgAbuseEmail:  abuse () gnax net

OrgTechHandle: ENGIN7-ARIN
OrgTechName:   Engineering
OrgTechPhone:  +1-404-230-9150
OrgTechEmail:  engineering () gnax net



You could also redirect the traffic to some machine if you want to
perform further analysis .

./thanks
ilaiy

On 1/18/06, Brian Collins <listbc () newnanutilities org> wrote:
> Good day folks.  This morning an admin asked us to check on a large amount
> of traffic targeting several DNS servers in our network (both our own DNS
> servers and customer co-located DNS servers).  In looking at the traffic I
> see that the source is making several queries a second for DNS root.  I have
> included a small sample from tcpdump below.  Not sure what the motive is
> here.  The TTLs are all 235.  The random source ports makes me think
> possibly spoofed traffic.  I can put packet dumps up on a website in libpcap
> format if anyone is interested.  They are still going on as I type this.
>
> Thanks for any insight you can lend.
>
>
> 08:44:31.681706 IP 207.210.68.202.18257 > 216.130.152.71.53:  7127+ [1au]
> ANY ANY? . (28)
> 08:44:31.935719 IP 207.210.68.202.17460 > 216.130.152.71.53:  16133+ [1au]
> ANY ANY? . (28)
> 08:44:32.191226 IP 207.210.68.202.11958 > 216.130.152.71.53:  24095+ [1au]
> ANY ANY? . (28)
> 08:44:32.453721 IP 207.210.68.202.30962 > 216.130.152.71.53:  28728+ [1au]
> ANY ANY? . (28)
> 08:44:32.965355 IP 207.210.68.202.30683 > 216.130.152.71.53:  12271+ [1au]
> ANY ANY? . (28)
> 08:44:33.468862 IP 207.210.68.202.9966 > 216.130.152.71.53:  28170+ [1au]
> ANY ANY? . (28)
> 08:44:33.720408 IP 207.210.68.202.9920 > 216.130.152.71.53:  28160+ [1au]
> ANY ANY? . (28)
> 08:44:33.976693 IP 207.210.68.202.22511 > 216.130.152.71.53:  9346+ [1au]
> ANY ANY? . (28)
> 08:44:34.233664 IP 207.210.68.202.20625 > 216.130.152.71.53:  18580+ [1au]
> ANY ANY? . (28)
> 08:44:34.495015 IP 207.210.68.202.7023 > 216.130.152.71.53:  7968+ [1au] ANY
> ANY? . (28)
> 08:44:34.742492 IP 207.210.68.202.6257 > 216.130.152.71.53:  11859+ [1au]
> ANY ANY? . (28)
> 08:44:35.001415 IP 207.210.68.202.25244 > 216.130.152.71.53:  5372+ [1au]
> ANY ANY? . (28)
> 08:44:35.257812 IP 207.210.68.202.17576 > 216.130.152.71.53:  14270+ [1au]
> ANY ANY? . (28)
> 08:44:35.778259 IP 207.210.68.202.3384 > 216.130.152.71.53:  1508+ [1au] ANY
> ANY? . (28)
> 08:44:36.034492 IP 207.210.68.202.13754 > 216.130.152.71.53:  23670+ [1au]
> ANY ANY? . (28)
> 08:44:36.290463 IP 207.210.68.202.11008 > 216.130.152.71.53:  8899+ [1au]
> ANY ANY? . (28)
> 08:44:36.805271 IP 207.210.68.202.18348 > 216.130.152.71.53:  19806+ [1au]
> ANY ANY? . (28)
> 08:44:37.061876 IP 207.210.68.202.19532 > 216.130.152.71.53:  31844+ [1au]
> ANY ANY? . (28)