[dns-operations] ip id from servers

Colm MacCárthaigh colm at stdlib.net
Thu Mar 11 02:16:56 UTC 2010


Across what kind of measurement interval are the duplicates observed?
Within milliseconds, seconds ... hours?

If this is the ID field in the layer 3 IP header - could these be
multiple fragments from the same datagram?

On Wed, Mar 10, 2010 at 6:09 PM, Randy Bush <randy at psg.com> wrote:
> we are running a measurement experiment which involves a port tap on a
> fiber to one of our routers.  on that tap, we are seeing what we believe
> to be unusual behavior from some packet sources (see below).  what we
> think we are seeing are a significant number of duplicates of the tuple
> (source ip, ip id).
>
> we think that this would be due to high retransmits, extremely poor ip
> id randomization, a massive number of packets so that ids are recycled,
> an anycast artifact, or cosmic rays.  i note that these are mostly name
> servers.  so i gotta wonder if there is some commonly used software with
> its own stack or something similar.
>
> any clues appreciated.
>
> randy
>
> ---
>
> 193.0.0.195     ns-pri.ripe.net.
> 192.42.93.32    figwort.arin.net.
> 192.42.93.32    g3.nstld.com.
> 192.41.162.30   l.gtld-servers.net.
> 192.35.51.32    f3.nstld.com.
> 192.35.51.32    dill.arin.net.
> 124.41.71.123   7c29477b.i-revonet.jp.
> 203.141.148.250 203.141.148.250.static.zoot.jp.
> 218.45.21.199   felixx.tsn.or.jp.
> 192.26.92.30    c.gtld-servers.net.
> 192.55.83.30    m.gtld-servers.net.
> 192.42.93.30    g.gtld-servers.net.
> 192.54.112.30   h.gtld-servers.net.
> 192.35.51.30    f.gtld-servers.net.
> 192.5.6.30      a.gtld-servers.net.
> 192.31.80.30    d.gtld-servers.net.
> 202.12.28.140   sec3.apnic.net.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>



-- 
Colm



More information about the dns-operations mailing list