[dns-operations] ip id from servers

Mark Andrews marka at isc.org
Thu Mar 11 02:24:31 UTC 2010


In message <m28w9z1uf2.wl%randy at psg.com>, Randy Bush writes:
> we are running a measurement experiment which involves a port tap on a
> fiber to one of our routers.  on that tap, we are seeing what we believe
> to be unusual behavior from some packet sources (see below).  what we
> think we are seeing are a significant number of duplicates of the tuple
> (source ip, ip id).  

And if you throw in the destination ip do you still have lots of duplicates?

<source ip + destination id + ip id> are required for reassembly.

> we think that this would be due to high retransmits, extremely poor ip
> id randomization, a massive number of packets so that ids are recycled,
> an anycast artifact, or cosmic rays.  i note that these are mostly name
> servers.  so i gotta wonder if there is some commonly used software with
> its own stack or something similar.
> 
> any clues appreciated.
> 
> randy
> 
> ---
> 
> 193.0.0.195	ns-pri.ripe.net.
> 192.42.93.32 	figwort.arin.net.
> 192.42.93.32 	g3.nstld.com.
> 192.41.162.30 	l.gtld-servers.net.
> 192.35.51.32 	f3.nstld.com.
> 192.35.51.32 	dill.arin.net.
> 124.41.71.123 	7c29477b.i-revonet.jp.
> 203.141.148.250 203.141.148.250.static.zoot.jp.
> 218.45.21.199 	felixx.tsn.or.jp.
> 192.26.92.30 	c.gtld-servers.net.
> 192.55.83.30 	m.gtld-servers.net.
> 192.42.93.30 	g.gtld-servers.net.
> 192.54.112.30 	h.gtld-servers.net.
> 192.35.51.30 	f.gtld-servers.net.
> 192.5.6.30 	a.gtld-servers.net.
> 192.31.80.30 	d.gtld-servers.net.
> 202.12.28.140 	sec3.apnic.net.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list