[dns-operations] Queries for isc.org/ANY/IN

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jan 17 12:31:35 UTC 2012

On 17.01.2012 10:40, Mark Andrews wrote:
> In message<4F15321A.1020003 at pernau.at>, Klaus Darilion writes:
>> Hi all!
>> I can confirm this. We see peaks of around 2000q/s on our Anycast DNS
>> servers (2nd level authoritive name servers). Peaks are usually 2-3
>> minutes, sometimes also 2-3 hours. During a peak all the requests come
>> from the same (spoofed) source IP.
>> The queries are ANY/IN for arbitrary (existing) domains with "recursion
>> desired" flag set. Usually we have the peaks in Singapore and Los
>> Angeles, whereas sometimes Singapore swaps to our Frankfurt node. Thus,
>> I think the attacker's bots are mainly located in Asia.
>> regards
>> Klaus
> You should use these to work out where BCP 38 filters are not in
> place and then fix.  If it from a peer then get them to fix and
> de-peer.  If it is from a transit provide they should be enforcing
> BCP 38 as part of their peering agreements and if not find a transit
> provider that does.
> BCP 38 is over a decade old at this point.  There is NO excuse any
> longer.

Seems no one is worrying about excuses at all.

I did some test with spoofing src-IP addresses from our anycast nodes. 
Some ISPs filter bogon src IPs, some use Loose Reverse Path Forwarding, 
but from all nodes (6 different ISPs) I can spoof IP addresses from 
currently used prefixes (seems nobody uses Strict or Feasible Path 
Reverse Path Filtering). Also large carriers like L3 or HE seem not to 

Sure I can complain to our ISP, but if they receive spoofed traffic from 
their upstream providers I don't think they have enough strength to 
force their upstreams for better filtering.

Sure it would be nice if all ISPs would filter spoofed packets, but I do 
not think that it would be feasible with proper laws that force the ISPs 
to do that.


PS: Sending spoofed ICMP packets to www.isc.org works fine

More information about the dns-operations mailing list