[dns-operations] Queries for isc.org/ANY/IN

[Klaus Darilion]

Hi all!

I can confirm this. We see peaks of around 2000q/s on our Anycast DNS 
servers (2nd level authoritive name servers). Peaks are usually 2-3 
minutes, sometimes also 2-3 hours. During a peak all the requests come 
from the same (spoofed) source IP.

The queries are ANY/IN for arbitrary (existing) domains with "recursion 
desired" flag set. Usually we have the peaks in Singapore and Los 
Angeles, whereas sometimes Singapore swaps to our Frankfurt node. Thus, 
I think the attacker's bots are mainly located in Asia.

regards
Klaus

On 09.01.2012 09:15, Paul J. Smith wrote:
> I think you'll find most of these are apnic blocks.  Quite a few providers including ourselves have been seeing this traffic for a month or so now. They are making ANY requests for many, many domains at a great rate.  We certainly see 1000's of requests per second.  Mostly 5 minute peaks, but sometimes longer.  Starts around 4am our time, carries on for 14 hours or so, stops, re-starts the next day.
>
> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Sebastian Wiesinger
> Sent: 08 January 2012 23:46
> To: DNS Operations
> Subject: [dns-operations] Queries for isc.org/ANY/IN
>
> Hello,
>
> I'm noticing a spike in queries for isc.org/ANY/IN on my DNS server.
> These are refused but I wonder what is up? I read that there was a
> (attempted) DDoS with these kind of queries in the past, is ist
> starting up again?
>
> These queries suddenly started on January 2nd, you can see it here:
>
> http://www.karotte.org/pics/isc-queries.png
>
> There are the Top 10 clients for this query in the last 24 hours:
>
>     2476 69.4.233.53
>     2120 76.10.210.231
>     1301 212.7.194.14
>      926 176.31.235.155
>      534 68.68.27.29
>      457 174.127.73.147
>      232 78.159.111.189
>      143 174.127.88.134
>       95 69.4.230.111
>       79 46.105.9.242
>
> Regards
>
> Sebastian
>