[dns-operations] Resolvers seeing repeated bursts of identical queries
sthaug at nethelp.no
sthaug at nethelp.no
Mon Jan 9 13:38:59 UTC 2023
>> Example of (part of) query burst - in this case the client sends
>> bursts of 84 queries within less than 1 ms:
>>
>> 09:24:56.593259 IP 194.19.79.131.58089 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
>> 09:24:56.593283 IP 194.19.79.131.38426 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
>> 09:24:56.593307 IP 194.19.79.131.56931 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
>> 09:24:56.593346 IP 194.19.79.131.42976 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
>> 09:24:56.593350 IP 194.19.79.131.11638 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
>> 09:24:56.593366 IP 194.19.79.131.22476 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
>> ...
>> 09:24:56.594364 IP 194.19.79.131.41548 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
>
> Have you looked at the IP TTL within each of these bursts?
>
> A random distributionmight suggest a dispersed set of sources (or ALGs or NATs or something). Patterns might give other clues.
Good point. However, all of the queries within one burst have the same
IP TTL, which suggests they were generated by the same host.
Steinar Haug, AS2116
More information about the dns-operations
mailing list