Re: DNS Flood

["Henry R. Linneweh" <linneweh () concentric net>]

Resolved 199.108.32.203 to inspire3d.com
Resolved 216.15.178.201 to Lets.lepak.net
Resolved 129.180.11.17 to turing.une.edu.au
Unable to resolve 216.41.23.68
Netname: OEMGREEN
Netblock: 216.41.0.0 - 216.41.127.255
Maintainer: DHHC
Resolved 208.235.124.20 to cardassian.keysdigital.com
Unable to resolve 203.251.77
inetnum:     203.251.0.0 - 203.251.127.255
netname:    KORNET
descr:        Korea Telecom



"Jamie D." wrote:

> Are there any other ISP's who are experiencing DNS floods, specifically I am
> looking for traffic destined for (or coming from) the following IPs
>
> > > > 199.108.32.203
> > > > 216.15.178.201
> > > > 129.180.11.17
> > > > 216.41.23.68
> > > > 208.235.124.20
> > > > 203.251.77.1
>
> It appears someone is running a script that is using these nameservers, as
> well as the name servers of other educational facilities, to do a lookup on
> mulitple servers in the amplitude of 3-4 a second.  This activity has been
> happening for the past 3 weeks, we have null routed this traffic on our
> backbone, but it still shows up in Cache flow.
>
> This traffic actually saturated our customer's pipe as well as increased the
> load on our backbone router.
>
> If anyone has seen anything at all like that, (specifically people from
> UU.net or AT&T Worldnet) please lets band together and find the person doing
> this.
>
> Thanks
> Jamie D.    | noc () cerf net
> AT&T CERFnet| Network Analyst
> 1-888-237-3638 opt 2 opt 2