[dns-operations] ip id from servers

Randy Bush randy at psg.com
Thu Mar 11 02:09:05 UTC 2010

we are running a measurement experiment which involves a port tap on a
fiber to one of our routers.  on that tap, we are seeing what we believe
to be unusual behavior from some packet sources (see below).  what we
think we are seeing are a significant number of duplicates of the tuple
(source ip, ip id).  

we think that this would be due to high retransmits, extremely poor ip
id randomization, a massive number of packets so that ids are recycled,
an anycast artifact, or cosmic rays.  i note that these are mostly name
servers.  so i gotta wonder if there is some commonly used software with
its own stack or something similar.

any clues appreciated.


---	ns-pri.ripe.net. 	figwort.arin.net. 	g3.nstld.com. 	l.gtld-servers.net. 	f3.nstld.com. 	dill.arin.net. 	7c29477b.i-revonet.jp. 	felixx.tsn.or.jp. 	c.gtld-servers.net. 	m.gtld-servers.net. 	g.gtld-servers.net. 	h.gtld-servers.net. 	f.gtld-servers.net. 	a.gtld-servers.net. 	d.gtld-servers.net. 	sec3.apnic.net.

More information about the dns-operations mailing list