[dns-operations] honeypot : so many bees from Amazon

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Mar 5 18:45:04 UTC 2019

> On Mar 5, 2019, at 4:24 AM, MAYER Hans <Hans.Mayer at iiasa.ac.at> wrote:
> With the experience of these scans during the last months I was interested to know more about the intentions of these hackers. Therefore I created a subdomain also with reverse lookup for an IP-range which is not used. As these lookups for my in-addr.arpa. range are still ongoing it was not surprising that after short time the dots in the geo-map are spread over the world. Looking for names in this subdomain is only possible if someone did a reverse lookup before. Assuming that the same source IP addresses respectively domains for name lookups are identical to those for reverse lookup is completely wrong. This is a list of all IP addresses which did a lookup for this honeypot names during the last 5 days:

Why would PTR lookups be assumed to be done by hackers?
My guess would be an academic study of the IPv4 address
space.  Or some commercial whitehat vulnerability scan.
Project Sonar, etc.


More information about the dns-operations mailing list