[127181] in North American Network Operators' Group
Re: Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (Mark Andrews)
Wed Jun 16 22:09:47 2010
To: Jon Lewis <jlewis@lewis.org>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Wed, 16 Jun 2010 21:01:32 -0400."
<Pine.LNX.4.61.1006162044210.5148@soloth.lewis.org>
Date: Thu, 17 Jun 2010 12:07:33 +1000
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <Pine.LNX.4.61.1006162044210.5148@soloth.lewis.org>, Jon Lewis write
s:
> I just took a closer look at something odd I'd noticed several days ago.
> One of our DNS servers was sending crazy amounts of ARP requests for IPs
> in the /24 its main IP is in. What I've found is we're getting hit with
> DNS requests that look like they're from "typical internet traffic for
> someone in China" hitting this DNS server from IPs in its /24 which are
> currently not in use (at least on our local network). It would appear
> someone in China is using our IP space, presumably behind a NAT router,
> and they're leaking some traffic non-NAT'd.
Why was this traffic hitting your DNS server in the first place? It should
have been rejected by the ingress filters preventing spoofing of the local
network.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org