[dns-operations] MX record scanning
Jaroslav Benkovský
jaroslav.benkovsky at nic.cz
Tue May 10 08:18:26 UTC 2011
Hi,
we have noticed similar traffic on Christmas on all our authoritative
servers - queries per sec going several times our normal load, mostly
for MX, many source addresses. From a sharp start and equally sharp end
it was clearly a botnet or a coordinated effort. Lasted several hours
with some repeats.
Now in the last days we see similar storms, but their falloff is more
gradual, suggesting a different process.
Most of that junk results in NXDomain anyway.
Jarda Benkovsky
On 05/09/2011 06:06 PM, Carlos Vicente wrote:
> Dear list,
>
> In the last week or so I've noticed a significant increase in queries per
> second on one of our authoritative servers, which happens to be secondary
> for a number of TLDs. A quick inspection of the traffic patterns seems to
> indicate an MX record scanning process with no distinguishable origin (I'm
> guessing a bot net). I was wondering if anyone else was experiencing this
> and if they had any thoughts they'd want to share.
>
> I'm attaching a screenshot of the DSC graph that shows the increase in the
> last few days.
>
> Regards,
>
> Carlos Vicente
> University of Oregon
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list