[116027] in North American Network Operators' Group
Probes from root servers
daemon@ATHENA.MIT.EDU (Pederson, Krishna)
Thu Jul 16 18:56:11 2009
From: "Pederson, Krishna" <Pederson@covad.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 16 Jul 2009 15:56:29 -0700
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
One of our IP addresses is being probed by up to 8 of the 13 root dns serve=
rs every 15 seconds. I'm looking for input on how to contact the admins for=
the servers or perhaps a way to figure out if perhaps someone is spoofing =
the affected customer IP address, causing the root servers to send the foll=
owing:
sh mls netflow ip destination 74.1.32.205 /32 module 2
Displaying Netflow entries in module 2
DstIP SrcIP Prot:SrcPort:DstPort Src i/f :Adj=
Ptr
---------------------------------------------------------------------------=
--
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
74.1.32.205 193.0.14.129 udp :dns :1039 Fa2/11 :0x0
0 0 1 22:49:03 L3 - Dynamic
74.1.32.205 202.12.27.33 udp :dns :1039 Fa2/11 :0x0
0 0 2 22:49:03 L3 - Dynamic
74.1.32.205 192.36.148.17 udp :dns :1039 Fa2/11 :0x0
0 0 2 22:49:03 L3 - Dynamic
Is it practical to attempt to work the issue with the root server admins or=
is it quite likely this is spoofing and there's no hope to track this down=
?
Thanks,
Kris
