<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Sans Unicode";
panose-1:2 11 6 2 3 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Hi, <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We have also noticed similar bursts in the past. Maybe not at those rates, but significantly larger than normal. In the magnitude of 10-20x of normal traffic, and only from a small amount of sources.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The main IP’s at the time was AWS servers. My conclusion at the time was that some sites did reverse lookups without using a caching resolver. I might have reached out to Amazon, but I can’t remember. It was
a couple of years ago.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I also saw some of the larger Swedish web hosting companies at that time, which I did reach out to.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Since the traffic was no threat of overloading our authoritative servers, I let them pass.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Have not looked at it for a while though.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="SV" style="color:#1F497D">BR,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="SV" style="color:#1F497D">Bjorn Hellqvist<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="SV" style="color:#1F497D">Senior System Expert (Internet, DNS & Automation)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Telia Company<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Solna, Sweden<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> dns-operations [mailto:dns-operations-bounces@dns-oarc.net]
<b>On Behalf Of </b>MONROE, JEREMY<br>
<b>Sent:</b> den 22 december 2018 16:35<br>
<b>To:</b> dns-operations@dns-oarc.net; ask-rssac@icann.org<br>
<b>Subject:</b> [dns-operations] in-addr.arpa spikes in DNS traffic<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please see below – AT&T has received bursts in PTR queries as described below – has anyone hear seen similar behavior recently? This first occurred in March of 2018 – subsided and began again here in December.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New"">Jeremy Monroe<o:p></o:p></span></b></p>
<p class="MsoNormal"><i><span lang="EN">Q Me </span></i><i><span lang="EN" style="font-family:"Times New Roman",serif"><a href="qto://talk/jm9386"><span style="color:blue">qto://talk/jm9386
</span></a></span></i><b><i><u><span style="color:red"><o:p></o:p></span></u></i></b></p>
<p class="MsoNormal">Senior - IT Network Design<o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:maroon">Enterprise IP Services Support<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">AT&T Services Inc – Network Cloud and Infrastructure Ops</span>
<o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:maroon">Intranet:</span></b><b>
</b><b><span style="font-size:10.0pt;font-family:"Courier New";color:blue"><a href="http://eiss.it.att.com/"><span style="font-family:"Times New Roman",serif;color:blue">http://eiss.it.att.com</span></a></span></b>
<br>
<b><span style="font-size:10.0pt;font-family:"Courier New";color:blue"> <a href="http://eiss-dns.it.att.com/">
<span style="font-family:"Times New Roman",serif;color:blue">http://eiss-dns.it.att.com</span></a></span></b>
<br>
<b><span style="font-size:10.0pt;font-family:"Courier New";color:purple">573 204 5463 Skype/office<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:purple">314 235 8168 (AT&T Domains voice mailbox)<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:red"><a href="mailto:3146508345@txt.att.net"><span style="font-family:"Times New Roman",serif;color:blue">3146508345@txt.att.net</span></a> Pager</span></b>
<o:p></o:p></p>
<p class="MsoNormal">314 650 8345 Cell<br>
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#00CC33">"I don't know the secret to success, but the secret to failure is to try and please everyone"</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal"><br>
<span style="font-size:7.5pt;font-family:"Lucida Sans Unicode",sans-serif;color:gray">"This e-mail and any files transmitted with it are the property of at&t, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail
is addressed. If you are not one of the named recipient or otherwise have reason to believe that you have received this message in error, please notify the sender at [jm9386@att.com or 314 235 8168] and delete this message immediately from your computer. Any
other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> Wessels, Duane <<a href="mailto:dwessels@verisign.com">dwessels@verisign.com</a>>
<br>
<b>Sent:</b> Friday, December 21, 2018 16:05<br>
<b>To:</b> MONROE, JEREMY <<a href="mailto:jm9386@att.com">jm9386@att.com</a>><br>
<b>Subject:</b> Re: RE: in-addr.arpa spikes in DNS traffic<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yeah that’s an odd one. If the IPs are real (not spoofed) and you see queries that you are authoritative for, then it would point to something generating large amounts of queries through legitimate recursives.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We asked our root server colleagues they saw anything like that. Only one responded so far, and said (like us) they did not.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As you may know, root servers typically handle in the range of 50k q/s these days. The 200-400k that you observe would definitely be noticeable.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Currently the only reasonable way you could reach all the root operators is to send email to
<a href="mailto:ask-rssac@icann.org">ask-rssac@icann.org</a>. Someone would receive it and then forward it to the operators. Given the timing with holidays I wouldn’t hold your breath.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">You might also consider posting to the <a href="mailto:dns-operations@dns-oarc.net">
dns-operations@dns-oarc.net</a> mailing list to reach other DNS operators more broadly.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">DW<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">"MONROE, JEREMY" <<a href="mailto:jm9386@att.com">jm9386@att.com</a>><br>
<b>Date: </b>Friday, December 21, 2018 at 1:48 PM<br>
<b>To: </b>Duane Wessels <<a href="mailto:dwessels@verisign.com">dwessels@verisign.com</a>><br>
<b>Subject: </b>[EXTERNAL] RE: in-addr.arpa spikes in DNS traffic<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">We are seeing short bursts of PTR query traffic. Sources seem to be all open ISP resolvers scattered all over the United States. I host a bunch of in-addr.arpa zones from top level delegations and each of the queries appears to be for
legitimate PTR records that we have defined. We typically receive about 7-10kpps (Packets Per Second) (not terribly large) and over the last week or two have received what seems like coordinated bursts of up and over 200-400kpps of all PTR records. First
observed in the United States – but today I learned our European based resolvers have also received similar spikes. My assumption was that if a bunch of ISP resolvers began receiving PTR queries for recursion – that the root servers might have seen an increase
in folks asking what DNS servers to use for certain in-addr.arpa space at AT&T. We have not seen a significant number of queries for arpa’s that we are not authoritative for – it’s an odd MO.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thank you for taking the time to reply back. Is there any way to see if any of the other root-server providers have noticed anything of that sort? Im really grasping at straws at this point.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New"">Jeremy Monroe</span></b><o:p></o:p></p>
<p class="MsoNormal"><i><span lang="EN">Q Me </span></i><i><span lang="EN" style="font-family:"Times New Roman",serif"><a href="qto://talk/jm9386"><span style="color:blue">qto://talk/jm9386
</span></a></span></i><o:p></o:p></p>
<p class="MsoNormal">Senior - IT Network Design<o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:maroon">Enterprise IP Services Support</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">AT&T Services Inc – Network Cloud and Infrastructure Ops</span>
<o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:maroon">Intranet:</span>
</b><b><span style="font-size:10.0pt;font-family:"Courier New";color:blue"><a href="http://eiss.it.att.com/"><span style="font-family:"Times New Roman",serif;color:blue">http://eiss.it.att.com</span></a></span></b>
<br>
<b><span style="font-size:10.0pt;font-family:"Courier New";color:blue"> <a href="http://eiss-dns.it.att.com/">
<span style="font-family:"Times New Roman",serif;color:blue">http://eiss-dns.it.att.com</span></a></span></b>
<br>
<b><span style="font-size:10.0pt;font-family:"Courier New";color:purple">573 204 5463 Skype/office</span></b><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:purple">314 235 8168 (AT&T Domains voice mailbox)</span></b><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:red"><a href="mailto:3146508345@txt.att.net"><span style="font-family:"Times New Roman",serif;color:blue">3146508345@txt.att.net</span></a> Pager</span></b>
<o:p></o:p></p>
<p class="MsoNormal">314 650 8345 Cell<br>
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#00CC33">"I don't know the secret to success, but the secret to failure is to try and please everyone"</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
<p class="MsoNormal"><br>
<span style="font-size:7.5pt;font-family:"Lucida Sans Unicode",sans-serif;color:gray">"This e-mail and any files transmitted with it are the property of at&t, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail
is addressed. If you are not one of the named recipient or otherwise have reason to believe that you have received this message in error, please notify the sender at [jm9386@att.com or 314 235 8168] and delete this message immediately from your computer. Any
other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."</span><o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> Wessels, Duane <<a href="mailto:dwessels@verisign.com">dwessels@verisign.com</a>>
<br>
<b>Sent:</b> Friday, December 21, 2018 15:37<br>
<b>To:</b> MONROE, JEREMY <<a href="mailto:jm9386@att.com">jm9386@att.com</a>><br>
<b>Subject:</b> Re: in-addr.arpa spikes in DNS traffic<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Jeremy,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We don’t see anything like that here. You mentioned both PTR and NS queries. Are you seeing both, or is it one or the other?
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">What you describe could be caused by availability issues with the lower levels of the DNS. Did you notice any similarities in the names being queried?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">DW<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">"MONROE, JEREMY" <<a href="mailto:jm9386@att.com">jm9386@att.com</a>><br>
<b>Date: </b>Friday, December 21, 2018 at 7:52 AM<br>
<b>To: </b>rootdns <<a href="mailto:rootdns@verisign.com">rootdns@verisign.com</a>><br>
<b>Subject: </b>[EXTERNAL] in-addr.arpa spikes in DNS traffic</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal">Hello – Im looking into a few network events where we received huge spikes in what appears to be valid PTR record lookups for zones to which we are authoritative for. Can you confirm whether or not the root servers have seen similar spikes
in in-addr.arpa related NS queries?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New"">Jeremy Monroe</span></b><o:p></o:p></p>
<p class="MsoNormal"><i><span lang="EN">Q Me </span></i><i><span lang="EN" style="font-family:"Times New Roman",serif"><a href="qto://talk/jm9386"><span style="color:blue">qto://talk/jm9386
</span></a></span></i><o:p></o:p></p>
<p class="MsoNormal">Senior - IT Network Design<o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:maroon">Enterprise IP Services Support</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">AT&T Services Inc – Network Cloud and Infrastructure Ops</span>
<o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:maroon">Intranet:</span>
</b><b><span style="font-size:10.0pt;font-family:"Courier New";color:blue"><a href="http://eiss.it.att.com/"><span style="font-family:"Times New Roman",serif;color:blue">http://eiss.it.att.com</span></a></span></b>
<br>
<b><span style="font-size:10.0pt;font-family:"Courier New";color:blue"> <a href="http://eiss-dns.it.att.com/">
<span style="font-family:"Times New Roman",serif;color:blue">http://eiss-dns.it.att.com</span></a></span></b>
<br>
<b><span style="font-size:10.0pt;font-family:"Courier New";color:purple">573 204 5463 Skype/office</span></b><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:purple">314 235 8168 (AT&T Domains voice mailbox)</span></b><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:red"><a href="mailto:3146508345@txt.att.net"><span style="font-family:"Times New Roman",serif;color:blue">3146508345@txt.att.net</span></a> Pager</span></b>
<o:p></o:p></p>
<p class="MsoNormal">314 650 8345 Cell<br>
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#00CC33">"I don't know the secret to success, but the secret to failure is to try and please everyone"</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
<p class="MsoNormal"><br>
<span style="font-size:7.5pt;font-family:"Lucida Sans Unicode",sans-serif;color:gray">"This e-mail and any files transmitted with it are the property of at&t, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail
is addressed. If you are not one of the named recipient or otherwise have reason to believe that you have received this message in error, please notify the sender at [jm9386@att.com or 314 235 8168] and delete this message immediately from your computer. Any
other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</body>
</html>