[dns-operations] Queries for isc.org/ANY/IN
klaus.mailinglists at pernau.at
Tue Jan 17 12:31:35 UTC 2012
On 17.01.2012 10:40, Mark Andrews wrote:
> In message<4F15321A.1020003 at pernau.at>, Klaus Darilion writes:
>> Hi all!
>> I can confirm this. We see peaks of around 2000q/s on our Anycast DNS
>> servers (2nd level authoritive name servers). Peaks are usually 2-3
>> minutes, sometimes also 2-3 hours. During a peak all the requests come
>> from the same (spoofed) source IP.
>> The queries are ANY/IN for arbitrary (existing) domains with "recursion
>> desired" flag set. Usually we have the peaks in Singapore and Los
>> Angeles, whereas sometimes Singapore swaps to our Frankfurt node. Thus,
>> I think the attacker's bots are mainly located in Asia.
> You should use these to work out where BCP 38 filters are not in
> place and then fix. If it from a peer then get them to fix and
> de-peer. If it is from a transit provide they should be enforcing
> BCP 38 as part of their peering agreements and if not find a transit
> provider that does.
> BCP 38 is over a decade old at this point. There is NO excuse any
Seems no one is worrying about excuses at all.
I did some test with spoofing src-IP addresses from our anycast nodes.
Some ISPs filter bogon src IPs, some use Loose Reverse Path Forwarding,
but from all nodes (6 different ISPs) I can spoof IP addresses from
currently used prefixes (seems nobody uses Strict or Feasible Path
Reverse Path Filtering). Also large carriers like L3 or HE seem not to
Sure I can complain to our ISP, but if they receive spoofed traffic from
their upstream providers I don't think they have enough strength to
force their upstreams for better filtering.
Sure it would be nice if all ISPs would filter spoofed packets, but I do
not think that it would be feasible with proper laws that force the ISPs
to do that.
PS: Sending spoofed ICMP packets to www.isc.org works fine
More information about the dns-operations