[127178] in North American Network Operators' Group
Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (Jon Lewis)
Wed Jun 16 21:02:13 2010
Date: Wed, 16 Jun 2010 21:01:32 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I just took a closer look at something odd I'd noticed several days ago.
One of our DNS servers was sending crazy amounts of ARP requests for IPs
in the /24 its main IP is in. What I've found is we're getting hit with
DNS requests that look like they're from "typical internet traffic for
someone in China" hitting this DNS server from IPs in its /24 which are
currently not in use (at least on our local network). It would appear
someone in China is using our IP space, presumably behind a NAT router,
and they're leaking some traffic non-NAT'd.
20:53:41.361734 IP 209.208.121.66.41755 > 209.208.121.126.53: 15939+ A? ns5.z.lxdns.com. (33)
20:53:43.523210 IP 209.208.121.95.39393 > 209.208.121.126.53: 15939+ A? www.nanhutravel.com. (37)
20:53:48.411805 IP 209.208.121.66.33390 > 209.208.121.126.53: 15939+ A? test.csxm.cdn20.com. (37)
20:53:50.557680 IP 209.208.121.135.40056 > 209.208.121.126.53: 15939+ A? rextest2.lxdns.com. (36)
20:53:56.918993 IP 209.208.121.135.37291 > 209.208.121.126.53: 15939+ A? www.51seer.com. (32)
20:54:20.033902 IP 209.208.121.95.37544 > 209.208.121.126.53: 15939+ A? image.dhgate.cdn20.com. (40)
20:54:21.900295 IP 209.208.121.66.35144 > 209.208.121.126.53: 15939+ A? static.xn-app.com. (35)
20:54:27.711853 IP 209.208.121.66.33518 > 209.208.121.126.53: 15939+ A? oa.hanhe.com. (30)
20:54:29.642938 IP 209.208.121.135.41723 > 209.208.121.126.53: 15939+ A? pic1.kaixin001.com. (36)
20:54:32.357414 IP 209.208.121.95.38564 > 209.208.121.126.53: 15939+ A? rr.snyu.com. (29)
20:54:38.901315 IP 209.208.121.95.37840 > 209.208.121.126.53: 15939+ A? edu.163.com. (29)
20:54:39.807385 IP 209.208.121.95.36069 > 209.208.121.126.53: 15939+ A? image.dhgate.cdn20.com. (40)
20:54:40.833778 IP 209.208.121.66.34949 > 209.208.121.126.53: 15939+ A? uphn.snswall.com. (34)
20:54:42.070294 IP 209.208.121.95.38405 > 209.208.121.126.53: 15939+ A? zwgk.cma.gov.cn. (33)
20:54:42.189939 IP 209.208.121.135.36637 > 209.208.121.126.53: 15939+ A? btocdn.52yeyou.com. (36)
20:54:45.767299 IP 209.208.121.95.41405 > 209.208.121.126.53: 15939+ A? img1.kaixin001.com.cn. (39)
20:54:48.595582 IP 209.208.121.66.40099 > 209.208.121.126.53: 15939+ A? rextest2.cdn20.com. (36)
20:54:49.480147 IP 209.208.121.95.42363 > 209.208.121.126.53: 15939+ A? www.dameiren.com. (34)
20:54:50.714200 IP 209.208.121.135.41497 > 209.208.121.126.53: 15939+ A? pic1.kaixin001.com.cn. (39)
20:54:54.116841 IP 209.208.121.135.36828 > 209.208.121.126.53: 15939+ A? i.jstv.com. (28)
I hope they got a good deal on the IP space...and a better deal on their
buggy router.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
