[dns-operations] ip id from servers
Colm MacCárthaigh
colm at stdlib.net
Thu Mar 11 02:16:56 UTC 2010
Across what kind of measurement interval are the duplicates observed?
Within milliseconds, seconds ... hours?
If this is the ID field in the layer 3 IP header - could these be
multiple fragments from the same datagram?
On Wed, Mar 10, 2010 at 6:09 PM, Randy Bush <randy at psg.com> wrote:
> we are running a measurement experiment which involves a port tap on a
> fiber to one of our routers. on that tap, we are seeing what we believe
> to be unusual behavior from some packet sources (see below). what we
> think we are seeing are a significant number of duplicates of the tuple
> (source ip, ip id).
>
> we think that this would be due to high retransmits, extremely poor ip
> id randomization, a massive number of packets so that ids are recycled,
> an anycast artifact, or cosmic rays. i note that these are mostly name
> servers. so i gotta wonder if there is some commonly used software with
> its own stack or something similar.
>
> any clues appreciated.
>
> randy
>
> ---
>
> 193.0.0.195 ns-pri.ripe.net.
> 192.42.93.32 figwort.arin.net.
> 192.42.93.32 g3.nstld.com.
> 192.41.162.30 l.gtld-servers.net.
> 192.35.51.32 f3.nstld.com.
> 192.35.51.32 dill.arin.net.
> 124.41.71.123 7c29477b.i-revonet.jp.
> 203.141.148.250 203.141.148.250.static.zoot.jp.
> 218.45.21.199 felixx.tsn.or.jp.
> 192.26.92.30 c.gtld-servers.net.
> 192.55.83.30 m.gtld-servers.net.
> 192.42.93.30 g.gtld-servers.net.
> 192.54.112.30 h.gtld-servers.net.
> 192.35.51.30 f.gtld-servers.net.
> 192.5.6.30 a.gtld-servers.net.
> 192.31.80.30 d.gtld-servers.net.
> 202.12.28.140 sec3.apnic.net.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--
Colm
More information about the dns-operations
mailing list