Security Incidents mailing list archives
Re: constant flow of root queries
From: Kerry Thompson <kez () security geek nz>
Date: Sat, 21 Jan 2006 18:09:57 +1300
On Wed, 2006-01-18 at 09:37 -0500, Brian Collins wrote:
Good day folks. This morning an admin asked us to check on a large amount of traffic targeting several DNS servers in our network (both our own DNS servers and customer co-located DNS servers). In looking at the traffic I see that the source is making several queries a second for DNS root. I have included a small sample from tcpdump below. Not sure what the motive is here. The TTLs are all 235. The random source ports makes me think possibly spoofed traffic. I can put packet dumps up on a website in libpcap format if anyone is interested. They are still going on as I type this.
I've seen similar about a year ago where a Windows server has gone into a spin firing DNS queries at its upstream forwarder at high rates - like thousands of requests per second hitting an ISP DNS server. It has also been noticed by other people, such as this recent post on the BIND-USERS mailing list: http://marc.theaimsgroup.com/?l=bind-users&m=113778239231495&w=2 Really the only resolution was to firewall the perpetrator, then try to contact them and explain the situation in the hope that they will understand and fix their server. -- Kerry Thompson http://www.crypt.gen.nz
Current thread:
- constant flow of root queries Brian Collins (Jan 18)
- Re: constant flow of root queries ilaiy (Jan 19)
- Re: constant flow of root queries Bojan Zdrnja (Jan 19)
- Re: constant flow of root queries Dude VanWinkle (Jan 20)
- Re: constant flow of root queries Kerry Thompson (Jan 23)