[104990] in North American Network Operators' Group
Re: Large number of DNS probes in last 24 hours
daemon@ATHENA.MIT.EDU (Michael Still)
Mon Jun 2 18:37:13 2008
Date: Mon, 02 Jun 2008 15:36:54 -0700
From: Michael Still <mikal@stillhq.com>
To: Jim Wise <jwise@draga.com>
In-Reply-To: <alpine.NEB.1.10.0805310030030.1704@himring.draga.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Jim Wise wrote:
> On Fri, 30 May 2008, Michael Still wrote:
>> I have seen PlanetLab experiments doing this. What are the originating
>> IP addresses?
>
> Three observed source addresses
>
> 208.78.169.237
> 204.11.51.62
> 194.199.24.101
>
> Source ports are high and non-repeating. Other than the domain root,
> A-record queries for "google.com" and for hostnames which appear to be
> on the same subnet as the querying host.
Hmmm. All the PlanetLab nodes should have valid reverse DNS, which isn't
the case here, so I guess it is something more malicious.
Mikal
