[dns-operations] ip id from servers
sthaug at nethelp.no
sthaug at nethelp.no
Thu Mar 11 07:32:03 UTC 2010
> we are running a measurement experiment which involves a port tap on a
> fiber to one of our routers. on that tap, we are seeing what we believe
> to be unusual behavior from some packet sources (see below). what we
> think we are seeing are a significant number of duplicates of the tuple
> (source ip, ip id).
>
> we think that this would be due to high retransmits, extremely poor ip
> id randomization, a massive number of packets so that ids are recycled,
> an anycast artifact, or cosmic rays. i note that these are mostly name
> servers. so i gotta wonder if there is some commonly used software with
> its own stack or something similar.
I can only confirm a few of these from here (Oslo, Norway). What I see
is pretty bad. *All* of the DNS answers I receive from these 3 servers
have IP ID 0:
> 193.0.0.195 ns-pri.ripe.net.
> 192.54.112.30 h.gtld-servers.net.
> 202.12.28.140 sec3.apnic.net.
Other important servers visible from here (e.g. i.root-servers.net)
behave normally,.
Extract from tcpdump of the traffic from ns-pri.ripe.net to one of
our recursive servers below.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
----------------------------------------------------------------------
08:31:23.903054 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 150) 193.0.0.195.53 > 193.75.110.74.28984: 13803 NXDomain*- 0/1/0 (122)
08:31:24.081948 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 166) 193.0.0.195.53 > 193.75.110.74.27560: 48- 0/3/0 (138)
08:31:24.127551 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 138) 193.0.0.195.53 > 193.75.110.74.32594: 8256- 0/2/0 (110)
08:31:24.660733 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 160) 193.0.0.195.53 > 193.75.110.74.26616: 21057- 0/2/0 (132)
08:31:25.149572 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 147) 193.0.0.195.53 > 193.75.110.74.62947: 52110 NXDomain*- 0/1/0 (119)
08:31:25.492105 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 137) 193.0.0.195.53 > 193.75.110.74.55992: 511- 0/2/0 (109)
08:31:25.531831 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 146) 193.0.0.195.53 > 193.75.110.74.40782: 49598 NXDomain*- 0/1/0 (118)
08:31:25.576930 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 140) 193.0.0.195.53 > 193.75.110.74.18915: 5698- 0/2/0 (112)
08:31:25.583805 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 142) 193.0.0.195.53 > 193.75.110.74.62877: 4390- 0/2/0 (114)
More information about the dns-operations
mailing list