[dns-operations] New subscribers

Jeff Taylor shdwdrgn at sourpuss.net
Sat Jan 15 21:37:50 UTC 2011

That's something I had not thought to check.  I just did a quick scan of 
the logs from the last two days for anything matching the query "isc.org 
IN ANY" and found that every last one of them are coming in on port 
25345.  That certainly seems to rule out any legitimate (albeit 
excessive) testing of the services.

Sorry I forgot about this thread for a few days, however myself and at 
least one other person are seeing continued large amounts of traffic 
running this query.  I wrote up a very simple BASH script which monitors 
my bind log and adds rules to iptables to block the offender, then 
removes the IP in 10 minutes and waits for a repeat offense.  It seems 
to be working great as I never see more than 5 IP's blocked at any time, 
although I should modify the iptables rule to only block port 53 (I 
can't tell if this is coming from spoofed IPs, or a botnet of some sort).

The thing that confuses me is the constant fluctuations in the traffic.  
There is no steady stream of queries coming in, no obvious cycles in 
activity through the day.  I would think if this were an automated 
attack of some sort, the barrage would be constant?

On 01/11/2011 08:41 AM, Michael Graff wrote:
> One report we've received here at ISC is that all the source ports are
> identical.  Is this the case for you as well?
> - --Michael

More information about the dns-operations mailing list