[dns-operations] Queries for isc.org/ANY/IN

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jan 17 08:32:26 UTC 2012

Hi all!

I can confirm this. We see peaks of around 2000q/s on our Anycast DNS 
servers (2nd level authoritive name servers). Peaks are usually 2-3 
minutes, sometimes also 2-3 hours. During a peak all the requests come 
from the same (spoofed) source IP.

The queries are ANY/IN for arbitrary (existing) domains with "recursion 
desired" flag set. Usually we have the peaks in Singapore and Los 
Angeles, whereas sometimes Singapore swaps to our Frankfurt node. Thus, 
I think the attacker's bots are mainly located in Asia.


On 09.01.2012 09:15, Paul J. Smith wrote:
> I think you'll find most of these are apnic blocks.  Quite a few providers including ourselves have been seeing this traffic for a month or so now. They are making ANY requests for many, many domains at a great rate.  We certainly see 1000's of requests per second.  Mostly 5 minute peaks, but sometimes longer.  Starts around 4am our time, carries on for 14 hours or so, stops, re-starts the next day.
> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Sebastian Wiesinger
> Sent: 08 January 2012 23:46
> To: DNS Operations
> Subject: [dns-operations] Queries for isc.org/ANY/IN
> Hello,
> I'm noticing a spike in queries for isc.org/ANY/IN on my DNS server.
> These are refused but I wonder what is up? I read that there was a
> (attempted) DDoS with these kind of queries in the past, is ist
> starting up again?
> These queries suddenly started on January 2nd, you can see it here:
> http://www.karotte.org/pics/isc-queries.png
> There are the Top 10 clients for this query in the last 24 hours:
>     2476
>     2120
>     1301
>      926
>      534
>      457
>      232
>      143
>       95
>       79
> Regards
> Sebastian

More information about the dns-operations mailing list