[dns-operations] MX record scanning

Tue May 10 09:47:21 UTC 2011

On 09-05-2011 21:25, Sebastian Castro wrote:
> On 05/10/2011 06:55 AM, Stephane Bortzmeyer wrote:
>> On Mon, May 09, 2011 at 09:06:06AM -0700,
>>  Carlos Vicente <cvicente.lists at gmail.com> wrote 
>>  a message of 155 lines which said:
>>
>>> In the last week or so I've noticed a significant increase in
>>> queries per second on one of our authoritative servers, which
>>> happens to be secondary for a number of TLDs. A quick inspection of
>>> the traffic patterns seems to indicate an MX record scanning process
>> It seems in the same league as the MX scanning seen by .CL and
>> reported by Mauricio Vergara Ereche at the OARC meeting in San
>> Francisco
>> <https://www.dns-oarc.net/files/workshop-201103/20110314-ccNSO-Query-Storm_affecting_CL-mave.pdf>. You
>> should compare your pcap files.
>>
> SIDN (.NL) reported similar situation long time ago with "retries" from
> time to time. We NZRS (.NZ) see that too, as well as, CIRA (.CA).
>
>
>> (Also, at least one CENTR member saw "the same" in January and
>> reported it on an internal CENTR mailing list.)
we (.PT) also noticed a identical situation, on all of our authoritative
servers more then once.
It started on 5 January 2011, with highest number of MX queries per
second, more then 5 times the normal (all queries).
After that we have seen some other episodes from time to time, most of
them with much lower number of MX queries.
By that time I reported to CENTR mailing list.
> Cheers,
Regards,

-- 
Assis Guerreiro
Technical Infrastructure Service DNS.PT
.PT ccTLD Technical Contact

FCCN - Fundação para a Computação Científica Nacional | DNS.PT
Apartado 50366 | 1708-001 Lisboa | Portugal
Tel.: +351 218 440 100 | Fax.: +351 218 440 157
Email: assis.guerreiro at fccn.pt <mailto:assis.guerreiro at fccn.pt>
http://www.dns.pt
Aviso de Confidencialidade/Disclaimer
[ Antes de imprimir esta mensagem pense no ambiente. Before printing this message, think about environment ]
NOTA DE CONFIDENCIALIDADE: Esta mensagem poderá conter informação privilegiada e confidencial. Se não é o destinatário da presente comunicação, agradecemos que nos informe e elimine a mensagem sem que a mesma seja divulgada, distribuída ou copiada.