Re: constant flow of root queries

[Kerry Thompson <kez () security geek nz>]

On Wed, 2006-01-18 at 09:37 -0500, Brian Collins wrote:
> Good day folks.  This morning an admin asked us to check on a large amount
> of traffic targeting several DNS servers in our network (both our own DNS
> servers and customer co-located DNS servers).  In looking at the traffic I
> see that the source is making several queries a second for DNS root.  I have
> included a small sample from tcpdump below.  Not sure what the motive is
> here.  The TTLs are all 235.  The random source ports makes me think
> possibly spoofed traffic.  I can put packet dumps up on a website in libpcap
> format if anyone is interested.  They are still going on as I type this.

I've seen similar about a year ago where a Windows server has gone into
a spin firing DNS queries at its upstream forwarder at high rates - like
thousands of requests per second hitting an ISP DNS server. It has also
been noticed by other people, such as this recent post on the BIND-USERS
mailing list:

http://marc.theaimsgroup.com/?l=bind-users&m=113778239231495&w=2

Really the only resolution was to firewall the perpetrator, then try to
contact them and explain the situation in the hope that they will
understand and fix their server.

-- 
Kerry Thompson
http://www.crypt.gen.nz