[dns-operations] ip id from servers
Mark Andrews
marka at isc.org
Thu Mar 11 02:24:31 UTC 2010
In message <m28w9z1uf2.wl%randy at psg.com>, Randy Bush writes:
> we are running a measurement experiment which involves a port tap on a
> fiber to one of our routers. on that tap, we are seeing what we believe
> to be unusual behavior from some packet sources (see below). what we
> think we are seeing are a significant number of duplicates of the tuple
> (source ip, ip id).
And if you throw in the destination ip do you still have lots of duplicates?
<source ip + destination id + ip id> are required for reassembly.
> we think that this would be due to high retransmits, extremely poor ip
> id randomization, a massive number of packets so that ids are recycled,
> an anycast artifact, or cosmic rays. i note that these are mostly name
> servers. so i gotta wonder if there is some commonly used software with
> its own stack or something similar.
>
> any clues appreciated.
>
> randy
>
> ---
>
> 193.0.0.195 ns-pri.ripe.net.
> 192.42.93.32 figwort.arin.net.
> 192.42.93.32 g3.nstld.com.
> 192.41.162.30 l.gtld-servers.net.
> 192.35.51.32 f3.nstld.com.
> 192.35.51.32 dill.arin.net.
> 124.41.71.123 7c29477b.i-revonet.jp.
> 203.141.148.250 203.141.148.250.static.zoot.jp.
> 218.45.21.199 felixx.tsn.or.jp.
> 192.26.92.30 c.gtld-servers.net.
> 192.55.83.30 m.gtld-servers.net.
> 192.42.93.30 g.gtld-servers.net.
> 192.54.112.30 h.gtld-servers.net.
> 192.35.51.30 f.gtld-servers.net.
> 192.5.6.30 a.gtld-servers.net.
> 192.31.80.30 d.gtld-servers.net.
> 202.12.28.140 sec3.apnic.net.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list