RE: Odd DNS Traffic

["McBurnett, Jim" <jmcburnett () msmgmt com>]

Michael,
Do you have a packet sniff of the traffic?
Possibly a sniff of at least 10000 packets?
HMMM..
I have seen some increase at our Corp DNS, but not that much...
drop me a note offlist with the sniff.. I would like to look at this..

Jim

> -----Original Message-----
> From: Support Team [mailto:support () snworks com]
> Sent: Wednesday, March 26, 2003 4:01 PM
> To: nanog () merit edu
> Subject: Odd DNS Traffic
>
>
>
> First I would like to note I am new to the list and group.  
> It's nice to
> be here.
>
> Second, since Monday, March 24th at approx 1am we have been suffering
> from "odd" DNS traffic to our two primary DNS servers.  The 
> odd traffic
> has increased our bandwidth utilization by about 20 Mbps, which is
> obviously putting a hurting on our network and our DNS servers.
>
> I know this must also be affecting other networks, and if anything the
> root servers.  If anyone has any suggestions, etc, they would be much
> appreciated.
>
> Thank you,
> Michael Mannella
> Support Team
> Synergy Networks, Inc.
>
> Here are the symptoms:
> ============================================
>
> The odd traffic started with the root servers, namely
> (a-m).gtld-servers.net .  Most of the traffic is still coming 
> from them,
> but other servers have also started sending us this odd traffic.
>
> We have 3 dns servers, only two are being affected, they are 
> our Primary
> and Secondary servers that are listed with Network Solutions. 
>  The third
> server (that is not being affected) is not listed with NetSol 
> and has no
> DNS records setup in it.  It is strictly being used for lookups.
>
> The odd traffic is listed as a "DNS Spoof attempt" on our firewall.
>
> The odd traffic looks like this:
>
> Rcv   192.48.79.30    0cbb  R Q [0084 A     NOERROR]
> (8)Îҵĵ绰(3)COM(0)
> UDP response info at 01ADC8BC
>   Socket = 380
>   Remote addr 192.48.79.30, port 53
>   Time Query=147367, Queued=0, Expire=0
>   Buf length = 0x0200 (512)
>   Msg length = 0x010e (270)
>   Message:
>     XID       0x0cbb
>     Flags     0x8400
>         QR        1 (response)
>         OPCODE    0 (QUERY)
>         AA        1
>         TC        0
>         RD        0
>         RA        0
>         Z         0
>         RCODE     0 (NOERROR)
>     QCOUNT    0x1
>     ACOUNT    0x1
>     NSCOUNT   0xd
>     ARCOUNT   0x0
>     Offset = 0x000c, RR count = 0
>     Name      "(8)Îҵĵ绰(3)COM(0)"
>       QTYPE   A (1)
>       QCLASS  1
>     ANSWER SECTION:
>     Offset = 0x001e, RR count = 0
>     Name      "[C00C](8)Îҵĵ绰(3)COM(0)"
>       TYPE   A  (1)
>       CLASS  1
>       TTL    300
>       DLEN   4
>       DATA   198.41.1.35
>     AUTHORITY SECTION:
>     Offset = 0x002e, RR count = 0
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   20
>       DATA   (1)g(12)gtld-servers(3)net(0)
>     Offset = 0x004e, RR count = 1
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)h[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x005e, RR count = 2
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)d[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x006e, RR count = 3
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)j[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x007e, RR count = 4
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)i[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x008e, RR count = 5
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)l[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x009e, RR count = 6
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)b[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x00ae, RR count = 7
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)e[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x00be, RR count = 8
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)a[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x00ce, RR count = 9
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)k[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x00de, RR count = 10
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)f[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x00ee, RR count = 11
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)c[C03C](12)gtld-servers(3)net(0)
>     Offset = 0x00fe, RR count = 12
>     Name      "[C015](3)COM(0)"
>       TYPE   NS  (2)
>       CLASS  1
>       TTL    172800
>       DLEN   4
>       DATA   (1)m[C03C](12)gtld-servers(3)net(0)
>     ADDITIONAL SECTION:
>
> The DNS server encountered an invalid domain name in a packet from
> 192.48.79.30.  The packet is
> rejected.