[dns-operations] Queries for isc.org/ANY/IN
klaus.mailinglists at pernau.at
Tue Jan 17 08:32:26 UTC 2012
I can confirm this. We see peaks of around 2000q/s on our Anycast DNS
servers (2nd level authoritive name servers). Peaks are usually 2-3
minutes, sometimes also 2-3 hours. During a peak all the requests come
from the same (spoofed) source IP.
The queries are ANY/IN for arbitrary (existing) domains with "recursion
desired" flag set. Usually we have the peaks in Singapore and Los
Angeles, whereas sometimes Singapore swaps to our Frankfurt node. Thus,
I think the attacker's bots are mainly located in Asia.
On 09.01.2012 09:15, Paul J. Smith wrote:
> I think you'll find most of these are apnic blocks. Quite a few providers including ourselves have been seeing this traffic for a month or so now. They are making ANY requests for many, many domains at a great rate. We certainly see 1000's of requests per second. Mostly 5 minute peaks, but sometimes longer. Starts around 4am our time, carries on for 14 hours or so, stops, re-starts the next day.
> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Sebastian Wiesinger
> Sent: 08 January 2012 23:46
> To: DNS Operations
> Subject: [dns-operations] Queries for isc.org/ANY/IN
> I'm noticing a spike in queries for isc.org/ANY/IN on my DNS server.
> These are refused but I wonder what is up? I read that there was a
> (attempted) DDoS with these kind of queries in the past, is ist
> starting up again?
> These queries suddenly started on January 2nd, you can see it here:
> There are the Top 10 clients for this query in the last 24 hours:
> 2476 220.127.116.11
> 2120 18.104.22.168
> 1301 22.214.171.124
> 926 126.96.36.199
> 534 188.8.131.52
> 457 184.108.40.206
> 232 220.127.116.11
> 143 18.104.22.168
> 95 22.214.171.124
> 79 126.96.36.199
More information about the dns-operations