[dns-operations] random queries
Hans Mayer
isc at ma.yer.at
Sat Mar 15 20:06:46 UTC 2025
On 15.03.25 15:29, Matt Nordhoff wrote:
> On Sat, Mar 15, 2025 at 11:14 AM Hans Mayer via dns-operations
> <dns-operations at dns-oarc.net> wrote:
> The "source" IP has changed a few times but I think it's always within
> 60.26.0.0/16. Right now it's 60.26.67.97.
I don't think it's "right now". It seems there is a pool of such
"services" acting.
I saw on different resolvers different IP addresses, but always the same
IP address for the same DNS server for a certain time interval. And from
time to time the IP address disappears and a new one comes up.
> Since it could be a reflection/amplification attack with spoofed
> source addresses, that might be the victim rather than anyone
> responsible.
For an attack it comes in too regular intervals, in my opinion.
This is the time series for the last 2 weeks for 60.26.0.0/16 with 2 IP
addresses involved.
Average is about 122.3 queries in 3 hours. I don't have the deviation
ready to hand.
// Hans
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250315/bed134b6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2025-03-15 at 20.56.23.png
Type: image/png
Size: 36861 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250315/bed134b6/attachment-0001.png>
More information about the dns-operations
mailing list