[dns-operations] MX record scanning

Jaroslav Benkovský jaroslav.benkovsky at nic.cz
Tue May 10 08:18:26 UTC 2011


we have noticed similar traffic on Christmas on all our authoritative
servers - queries per sec going several times our normal load, mostly
for MX, many source addresses. From a sharp start and equally sharp end
it was clearly a botnet or a coordinated effort. Lasted several hours
with some repeats.

Now in the last days we see similar storms, but their falloff is more
gradual, suggesting a different process.

Most of that junk results in NXDomain anyway.

Jarda Benkovsky

On 05/09/2011 06:06 PM, Carlos Vicente wrote:
> Dear list,
> In the last week or so I've noticed a significant increase in queries per
> second on one of our authoritative servers, which happens to be secondary
> for a number of TLDs. A quick inspection of the traffic patterns seems to
> indicate an MX record scanning process with no distinguishable origin (I'm
> guessing a bot net). I was wondering if anyone else was experiencing this
> and if they had any thoughts they'd want to share.
> I'm attaching a screenshot of the DSC graph that shows the increase in the
> last few days.
> Regards,
> Carlos Vicente
> University of Oregon
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list