Re: constant flow of root queries

[Bojan Zdrnja <bojan.zdrnja () gmail com>]

On 1/19/06, Brian Collins <listbc () newnanutilities org> wrote:
> Good day folks.  This morning an admin asked us to check on a large amount
> of traffic targeting several DNS servers in our network (both our own DNS
> servers and customer co-located DNS servers).  In looking at the traffic I
> see that the source is making several queries a second for DNS root.  I have
> included a small sample from tcpdump below.  Not sure what the motive is
> here.  The TTLs are all 235.  The random source ports makes me think
> possibly spoofed traffic.  I can put packet dumps up on a website in libpcap
> format if anyone is interested.  They are still going on as I type this.
>
> Thanks for any insight you can lend.
>
>
> 08:44:31.681706 IP 207.210.68.202.18257 > 216.130.152.71.53:  7127+ [1au]
> ANY ANY? . (28)
> 08:44:31.935719 IP 207.210.68.202.17460 > 216.130.152.71.53:  16133+ [1au]
> ANY ANY? . (28)

It could be a DoS attack on 207.210.68.202 from an unkown attacker,
using your DNS servers. The query for the root servers generates a
nice response which can be used to flood the target (small query, big
response).

As you know what the TTL of incoming packets is (235), you can do a
traceroute to this IP address from your network and see what number of
hops you will get - that will help you to determine if the packet is
spoofed or not.

Cheers,

Bojan