[104935] in North American Network Operators' Group
Re: Large number of DNS probes in last 24 hours
daemon@ATHENA.MIT.EDU (Jim Wise)
Sat May 31 00:34:48 2008
Date: Sat, 31 May 2008 00:34:31 -0400 (EDT)
From: Jim Wise <jwise@draga.com>
To: Michael Still <mikal@stillhq.com>
In-Reply-To: <4840BF61.5000906@stillhq.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 30 May 2008, Michael Still wrote:
>Jim Wise wrote:
>> I've seen a surprising number of attempted recursive DNS requests
>> against unpublished non-recursive DNS servers in the last 24 hours or
>> so, many of them obviously probes of some sort (query for "." IN NS,
>> eg).
>>
>> Is anyone else seeing this? Is it new? Or did some botnet just reach
>> this corner of the IP space?
>
>I have seen PlanetLab experiments doing this. What are the originating
>IP addresses?
Three observed source addresses
208.78.169.237
204.11.51.62
194.199.24.101
Source ports are high and non-repeating. Other than the domain root,
A-record queries for "google.com" and for hostnames which appear to be
on the same subnet as the querying host.
- --
Jim Wise
jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iD8DBQFIQNVXq/KRbT0KwbwRAvxDAJ9AuikE/UHx8YvlWIyiL4cdnaVjhwCdGYBI
CTEd5J0L0NCeDnpViMxOPmY=
=W/wp
-----END PGP SIGNATURE-----
