[dns-operations] Intersting log analysis

WBrown at e1b.org WBrown at e1b.org
Wed Apr 3 14:29:30 UTC 2013 

I noticed that queries for isc.org would come from numerous IP addresses 
but the source port would be consistent for long period of times.  A 
little jiggery  with daemon.log and I got the report below where first 
column is the number of occurrences of the source port (# separator 
changed to space for sort/uniq field definition).  The port number is the 
only field I used in this, IP address below is just one of many hits for 
that port. 

Commands used were:

sed -e s/#/\ / /var/log/daemon.log |sort -k 8 > ~/sorted
uniq -c -d -f 8 ~/sorted |sort -n -r -k 1 |more

Does it make sense to look at source port for any level of rate limiting?

4085406 Apr  1 00:00:00 ns3 named[3407]: client 178.32.36.37 25345 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
 113613 Apr  1 00:06:28 ns3 named[3407]: client 5.135.134.141 26451 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
  37086 Apr  2 00:10:44 ns3 named[3407]: client 108.59.9.97 49940 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   6388 Apr  1 17:22:07 ns3 named[3407]: client 91.102.165.40 41819 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   5703 Apr  3 01:28:24 ns3 named[3407]: client 178.32.62.37 57335 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   4513 Apr  3 01:41:15 ns3 named[3407]: client 69.60.109.62 32743 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   4009 Apr  1 13:29:08 ns3 named[3407]: client 85.180.66.207 28943 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   3410 Apr  1 21:18:15 ns3 named[3407]: client 5.135.134.141 38299 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   3225 Apr  3 02:07:16 ns3 named[3407]: client 46.105.191.93 31198 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   2505 Apr  1 00:01:18 ns3 named[3407]: limit  responses to 
216.226.125.0/24
   2504 Apr  1 00:01:06 ns3 named[3407]: stop limiting error responses to 
216.226.125.0/24
   2280 Mar 31 22:55:43 ns3 named[3407]: client 5.135.134.141 18406 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   2231 Apr  2 00:10:44 ns3 named[3407]: client 108.59.9.97 53501 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   2178 Apr  1 15:49:56 ns3 named[3407]: client 178.32.244.171 45813 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   1845 Apr  2 18:20:23 ns3 named[3407]: client 62.75.246.181 14716 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   1704 Mar 31 15:20:48 ns3 named[3407]: client 176.31.24.240 35853 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   1325 Apr  1 14:27:54 ns3 named[3407]: client 37.43.129.10 14898 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   1049 Apr  1 18:45:47 ns3 named[3407]: client 178.32.62.37 34424 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   1043 Apr  1 20:40:06 ns3 named[3407]: client 5.135.134.141 48733 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   1033 Apr  1 13:29:08 ns3 named[3407]: client 85.180.66.207 43639 
(isc.org): query (cache) 'isc.org/ANY/IN' denied
   1022 Apr  1 19:02:39 ns3 named[3407]: client 208.98.0.3 61182 
(isc.org): query (cache) 'isc.org/ANY/IN' denied

These are all records where count was above 1000.

-- 

William Brown
Core Hosted Application Technical Team and Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

More information about the dns-operations mailing list