[dns-operations] Many dns queries to a.root-servers.net

Dario Aguilar dariojaguilar at gmail.com
Fri Mar 2 20:02:00 UTC 2012


 another peculiarity that strikes me is that most but not all queries have ID
"1234" and also all queries originated with port 3072 always have ID "
1234"...

This is an example capture of one server:

# tcpdump -nni xx -s0 |grep a.root-servers.net
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0.307, link-type EN10MB (Ethernet), capture size 65535
bytes
16:37:48.106570 IP client_1_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.106649 IP client_2_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.106790 IP client_3_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.106943 IP client_4_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.107519 IP client_5_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.108596 IP client_6_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.109734 IP client_7_address.2054 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.110004 IP client_8_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.112149 IP client_9_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.112727 IP client_10_address.49953 > server_address.53:  420+ A?
a.root-servers.net. (36)
16:37:48.113128 IP client_11_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.114022 IP client_12_address.3125 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.114328 IP client_13_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.115076 IP client_14_address.3075 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.116665 IP client_12_address.3125 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.116741 IP client_15_address.14803 > server_address.53:  85+ A?
a.root-servers.net. (36)
16:37:48.118208 IP client_16_address.3072 > server_address.53:  1234+ A?
a.root-servers.net. (36)
16:37:48.118594 IP client_17_address.2054 > server_address.53:  1234+ A?
a.root-servers.net. (36)

I'm thinking out loud but maybe the query frequency every 2 sec., 10 sec.
or 30 sec., etc.. is related to the number of devices connected behind each
modem and the cause of this behavior could be multiple (ie modem config.
and/or malware/trojan/DDoS tool/Botnet).
It would be nice to identify exactly why these queries are generated to see how
we could proceed to reduce or eliminate them.
On Fri, Mar 2, 2012 at 11:26 AM, Hannes Frederic Sowa <hsowa at bfk.de> wrote:

> On 03/01/2012 09:42 PM, Dario Aguilar wrote:
>
>> is a possibility but we are talking about a query every few seconds, not
>> minutes, actually. An additional fact is that queries come from
>> thousands of different clients and the source port, in most cases is 3072.
>>
>
> AFAIK, this port is/was associated with the DDoS tool 'juno'.
>
> --
> Hannes Sowa                   <hsowa at bfk.de>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstraße 100              tel: +49-721-96201-1
> D-76133 Karlsruhe             fax: +49-721-96201-99
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120302/00b0db01/attachment.html>


More information about the dns-operations mailing list