[dns-operations] High qps for type32xxx records

Mike Jones mike at mikejones.in
Sat Dec 17 00:42:51 UTC 2016


On 15 December 2016 at 07:42, O'Hara, Ben <Ben.O'Hara at neustar.biz> wrote:
> Sorry had to change subbed address to resend.
>
> Anyone else seeing a huge increase for requests for $random.$tld type32xxx
> +dnssec (changes) hitting their auth server? Were doing about 5 , times our
> normal query rate intermittently over the last 3 days (not a problem, but
> interested what it is)
>
> Doesn't look to be from a spoofed sources as per a normal amplification
> attack (and were using rrl already)
>
> I know another providers seeing the same.
>
> Any ideas what they are trying to do? It's all nxdomain responses plus the
> dnssec records.
>
> Cheers
> Ben

Bots looking for a master?

- Mike



More information about the dns-operations mailing list