nanog mailing list archives

Re: Large number of DNS probes in last 24 hours

From: Jim Wise <jwise () draga com>
Date: Sat, 31 May 2008 00:34:31 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 30 May 2008, Michael Still wrote:

Jim Wise wrote:

I've seen a surprising number of attempted recursive DNS requests 
against unpublished non-recursive DNS servers in the last 24 hours or 
so, many of them obviously probes of some sort (query for "." IN NS, 
eg).

Is anyone else seeing this?  Is it new?  Or did some botnet just reach 
this corner of the IP space?


I have seen PlanetLab experiments doing this. What are the originating
IP addresses?


Three observed source addresses

        208.78.169.237
        204.11.51.62
        194.199.24.101

Source ports are high and non-repeating.  Other than the domain root, 
A-record queries for "google.com" and for hostnames which appear to be 
on the same subnet as the querying host.

- -- 
                                Jim Wise
                                jwise () draga com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFIQNVXq/KRbT0KwbwRAvxDAJ9AuikE/UHx8YvlWIyiL4cdnaVjhwCdGYBI
CTEd5J0L0NCeDnpViMxOPmY=
=W/wp
-----END PGP SIGNATURE-----

Current thread:

Large number of DNS probes in last 24 hours Jim Wise (May 30)
- Re: Large number of DNS probes in last 24 hours Lynda (May 30)
  - Re: Large number of DNS probes in last 24 hours John Menerick (May 30)
- Re: Large number of DNS probes in last 24 hours Michael Still (May 30)
  - Re: Large number of DNS probes in last 24 hours Jim Wise (May 30)