[dns-operations] ip id from servers
Randy Bush
randy at psg.com
Thu Mar 11 02:09:05 UTC 2010
we are running a measurement experiment which involves a port tap on a
fiber to one of our routers. on that tap, we are seeing what we believe
to be unusual behavior from some packet sources (see below). what we
think we are seeing are a significant number of duplicates of the tuple
(source ip, ip id).
we think that this would be due to high retransmits, extremely poor ip
id randomization, a massive number of packets so that ids are recycled,
an anycast artifact, or cosmic rays. i note that these are mostly name
servers. so i gotta wonder if there is some commonly used software with
its own stack or something similar.
any clues appreciated.
randy
---
193.0.0.195 ns-pri.ripe.net.
192.42.93.32 figwort.arin.net.
192.42.93.32 g3.nstld.com.
192.41.162.30 l.gtld-servers.net.
192.35.51.32 f3.nstld.com.
192.35.51.32 dill.arin.net.
124.41.71.123 7c29477b.i-revonet.jp.
203.141.148.250 203.141.148.250.static.zoot.jp.
218.45.21.199 felixx.tsn.or.jp.
192.26.92.30 c.gtld-servers.net.
192.55.83.30 m.gtld-servers.net.
192.42.93.30 g.gtld-servers.net.
192.54.112.30 h.gtld-servers.net.
192.35.51.30 f.gtld-servers.net.
192.5.6.30 a.gtld-servers.net.
192.31.80.30 d.gtld-servers.net.
202.12.28.140 sec3.apnic.net.
More information about the dns-operations
mailing list