[dns-operations] Resolvers seeing repeated bursts of identical queries

Joe Abley jabley at hopcount.ca
Mon Jan 9 13:31:18 UTC 2023


Hey,

On Mon, Jan 9, 2023 at 03:50, <sthaug at nethelp.no> wrote:

> Example of (part of) query burst - in this case the client sends
> bursts of 84 queries within less than 1 ms:
>
> 09:24:56.593259 IP 194.19.79.131.58089 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593283 IP 194.19.79.131.38426 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593307 IP 194.19.79.131.56931 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593346 IP 194.19.79.131.42976 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593350 IP 194.19.79.131.11638 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> 09:24:56.593366 IP 194.19.79.131.22476 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
> ...
> 09:24:56.594364 IP 194.19.79.131.41548 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)

Have you looked at the IP TTL within each of these bursts?

A random distributionmight suggest a dispersed set of sources (or ALGs or NATs or something). Patterns might give other clues.

Joe

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230109/fac5354f/attachment.html>


More information about the dns-operations mailing list