[dns-operations] Huge increase in number of blank queries

Bob Paolucci Bob.Paolucci at rci.rogers.com
Tue Sep 13 17:32:19 UTC 2011 

Anyone know of anything strange going on?

We've experience a huge jump in the number of Queries coming in with no
domain (.)
Im seeing such a jump that its increased the number of queries my
servers are handling by 7X.
Im afraid we're being used for some sort of amplification attack.
I cannot pinpoint any particular destination network... and these
queries are coming from all over our network (clients).

Example of what we're seeing:


DNS:  ----- DNS Header -----
DNS:  
DNS:  Query ID = 11822
DNS:  Opcode: Query
DNS:  RD (Recursion Desired) 
DNS:  1 question(s)
DNS:      Domain Name: 
DNS:      Class: 1 (Internet)
DNS:      Type:  1 (Address)
DNS:  

ETHER:  ----- Ether Header -----
ETHER:  
ETHER:  Packet 21 arrived at 17:27:19.91916
ETHER:  Packet size = 134 bytes
ETHER:  Destination = 0:1:64:f9:1a:1, 
ETHER:  Source      = 0:21:28:80:65:9d, 
ETHER:  Ethertype = 0800 (IP)
ETHER:  

IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 120 bytes
IP:   Identification = 333
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = 0000
IP:   Source address = 64.71.246.97,
dns15-vip-rcbin.wlfdle.rnc.net.cable.rogers.com
IP:   Destination address = 174.117.115.133, 174.117.115.133
IP:   No options
IP:   

UDP:  ----- UDP Header -----
UDP:  
UDP:  Source port = 53
UDP:  Destination port = 1046 
UDP:  Length = 100 
UDP:  Checksum = 5919 
UDP:  
DNS:  ----- DNS Header -----
DNS:  
DNS:  Response ID = 43465
DNS:  RA (Recursion Available) 
DNS:  Response Code: 0 (OK)
DNS:  Reply to 1 question(s)
DNS:      Domain Name: 
DNS:      Class: 1 (Internet)
DNS:      Type:  1 (Address)
DNS:  
DNS:  0 answer(s)
DNS:  1 name server resource(s)
DNS:      Domain Name: 
DNS:      Class: 1 (Internet)
DNS:      Type:  6 (Start Of a zone Authority)
DNS:      TTL (Time To Live): 3509
DNS:      Start Of a zone Authority: 
DNS:      MNAME (Server name): a.root-servers.net.
DNS:      RNAME (Resposible mailbox): nstld.verisign-grs.com.
DNS:      Serial: 2011091300
DNS:      Refresh: 1800  Retry: 900  Expire: 604800 Minimum: 86400
DNS:  
DNS:  0 additional record(s)
-------------- next part --------------

This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.

Ce courriel (ainsi que ses pi?ces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privil?ge juridique; aucun droit connexe n?est exclu. Si vous n??tes pas le destinataire vis? ou son repr?sentant, toute ?tude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut ?tre ill?gale. Tous les messages peuvent ?tre surveill?s, selon les lois et r?glements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas s?curis?s et vous ?tes r?put?s avoir accept? tous les risques qui y sont li?s si vous choisissez de communiquer avec nous par ce moyen. Si vous avez re?u ce message par erreur, veuillez nous en aviser imm?diatement et supprimer ce courriel (ainsi que toutes ses pi?ces jointes) de tout ordinateur ou support de donn?es sans en imprimer une copie.

More information about the dns-operations mailing list