[dns-operations] Queries for isc.org/ANY/IN

Mark Andrews marka at isc.org
Tue Jan 17 09:40:48 UTC 2012 

In message <4F15321A.1020003 at pernau.at>, Klaus Darilion writes:
> Hi all!
> 
> I can confirm this. We see peaks of around 2000q/s on our Anycast DNS 
> servers (2nd level authoritive name servers). Peaks are usually 2-3 
> minutes, sometimes also 2-3 hours. During a peak all the requests come 
> from the same (spoofed) source IP.
> 
> The queries are ANY/IN for arbitrary (existing) domains with "recursion 
> desired" flag set. Usually we have the peaks in Singapore and Los 
> Angeles, whereas sometimes Singapore swaps to our Frankfurt node. Thus, 
> I think the attacker's bots are mainly located in Asia.
> 
> regards
> Klaus

You should use these to work out where BCP 38 filters are not in
place and then fix.  If it from a peer then get them to fix and
de-peer.  If it is from a transit provide they should be enforcing
BCP 38 as part of their peering agreements and if not find a transit
provider that does.

BCP 38 is over a decade old at this point.  There is NO excuse any
longer.

> On 09.01.2012 09:15, Paul J. Smith wrote:
> > I think you'll find most of these are apnic blocks.  Quite a few providers 
> including ourselves have been seeing this traffic for a month or so now. They
>  are making ANY requests for many, many domains at a great rate.  We certainl
> y see 1000's of requests per second.  Mostly 5 minute peaks, but sometimes lo
> nger.  Starts around 4am our time, carries on for 14 hours or so, stops, re-s
> tarts the next day.
> >
> > -----Original Message-----
> > From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-boun
> ces at lists.dns-oarc.net] On Behalf Of Sebastian Wiesinger
> > Sent: 08 January 2012 23:46
> > To: DNS Operations
> > Subject: [dns-operations] Queries for isc.org/ANY/IN
> >
> > Hello,
> >
> > I'm noticing a spike in queries for isc.org/ANY/IN on my DNS server.
> > These are refused but I wonder what is up? I read that there was a
> > (attempted) DDoS with these kind of queries in the past, is ist
> > starting up again?
> >
> > These queries suddenly started on January 2nd, you can see it here:
> >
> > http://www.karotte.org/pics/isc-queries.png
> >
> > There are the Top 10 clients for this query in the last 24 hours:
> >
> >     2476 69.4.233.53
> >     2120 76.10.210.231
> >     1301 212.7.194.14
> >      926 176.31.235.155
> >      534 68.68.27.29
> >      457 174.127.73.147
> >      232 78.159.111.189
> >      143 174.127.88.134
> >       95 69.4.230.111
> >       79 46.105.9.242
> >
> > Regards
> >
> > Sebastian
> >
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list