nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What are these Google IPs hammering on my DNS server?

From: Mark Andrews <marka () isc org>
Date: Mon, 4 Dec 2023 10:31:54 +1100



On 4 Dec 2023, at 08:21, Michael Hare via NANOG <nanog () nanog org> wrote:

John-

This is little consolation, but at AS3128, I see the same thing to our downstream at times, claiming to come from 
both 13335 and 15169 often simultaneously at the tune of 25Kpps , "assuming it's not spoofed", which is pragmatically 
impossible to prove for me given our indirect relationships with these companies.  When I see these events, I 
typically also see a wide variety of country codes participating simultaneously.  Again, assuming it's not spoofed.  
To me it just looks like effective harassment with 13335/15169 helping out.  I pine for the internet of the 1990s.


Just set TC=1 for those clients.  If you get queries over TCP then they where not spoofed.  If they are using DNS 
COOKIE (RFC 7873) you can send back BADCOOKIE to the initial (client cookie only) UDP request with your server cookie.  
Identifying real DNS clients has been possible for years now.  It’s not hard.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: