[dns-operations] Huge increase in number of blank queries

Bob Paolucci Bob.Paolucci at rci.rogers.com
Tue Sep 13 18:59:49 UTC 2011 

Never mind guys. :)
Turned out to be a whacky cable modem router firmware that was causing the issue. :)


----- Original Message -----
From: dns-operations-bounces at lists.dns-oarc.net <dns-operations-bounces at lists.dns-oarc.net>
To: dns-operations at lists.dns-oarc.net <dns-operations at lists.dns-oarc.net>
Sent: Tue Sep 13 13:32:19 2011
Subject: Re: [dns-operations] Huge increase in number of blank queries

Anyone know of anything strange going on?

We've experience a huge jump in the number of Queries coming in with no
domain (.)
Im seeing such a jump that its increased the number of queries my
servers are handling by 7X.
Im afraid we're being used for some sort of amplification attack.
I cannot pinpoint any particular destination network... and these
queries are coming from all over our network (clients).

Example of what we're seeing:


DNS:  ----- DNS Header -----
DNS:  
DNS:  Query ID = 11822
DNS:  Opcode: Query
DNS:  RD (Recursion Desired) 
DNS:  1 question(s)
DNS:      Domain Name: 
DNS:      Class: 1 (Internet)
DNS:      Type:  1 (Address)
DNS:  

ETHER:  ----- Ether Header -----
ETHER:  
ETHER:  Packet 21 arrived at 17:27:19.91916
ETHER:  Packet size = 134 bytes
ETHER:  Destination = 0:1:64:f9:1a:1, 
ETHER:  Source      = 0:21:28:80:65:9d, 
ETHER:  Ethertype = 0800 (IP)
ETHER:  

IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 120 bytes
IP:   Identification = 333
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = 0000
IP:   Source address = 64.71.246.97,
dns15-vip-rcbin.wlfdle.rnc.net.cable.rogers.com
IP:   Destination address = 174.117.115.133, 174.117.115.133
IP:   No options
IP:   

UDP:  ----- UDP Header -----
UDP:  
UDP:  Source port = 53
UDP:  Destination port = 1046 
UDP:  Length = 100 
UDP:  Checksum = 5919 
UDP:  
DNS:  ----- DNS Header -----
DNS:  
DNS:  Response ID = 43465
DNS:  RA (Recursion Available) 
DNS:  Response Code: 0 (OK)
DNS:  Reply to 1 question(s)
DNS:      Domain Name: 
DNS:      Class: 1 (Internet)
DNS:      Type:  1 (Address)
DNS:  
DNS:  0 answer(s)
DNS:  1 name server resource(s)
DNS:      Domain Name: 
DNS:      Class: 1 (Internet)
DNS:      Type:  6 (Start Of a zone Authority)
DNS:      TTL (Time To Live): 3509
DNS:      Start Of a zone Authority: 
DNS:      MNAME (Server name): a.root-servers.net.
DNS:      RNAME (Resposible mailbox): nstld.verisign-grs.com.
DNS:      Serial: 2011091300
DNS:      Refresh: 1800  Retry: 900  Expire: 604800 Minimum: 86400
DNS:  
DNS:  0 additional record(s)
-------------- next part --------------

This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.

Ce courriel (ainsi que ses pièces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privilège juridique; aucun droit connexe n?est exclu. Si vous n?êtes pas le destinataire visé ou son représentant, toute étude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut être illégale. Tous les messages peuvent être surveillés, selon les lois et règlements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas sécurisés et vous êtes réputés avoir accepté tous les risques qui y sont liés si vous choisissez de communiquer avec nous par ce moyen. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et supprimer ce courriel (ainsi que toutes ses pièces jointes) de tout ordinateur ou support de données sans en imprimer une copie.

More information about the dns-operations mailing list