[127183] in North American Network Operators' Group
Re: Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (Nicholas Suan)
Wed Jun 16 22:25:22 2010
From: Nicholas Suan <nicks@sunbelt-software.com>
In-Reply-To: <Pine.LNX.4.61.1006162044210.5148@soloth.lewis.org>
Date: Wed, 16 Jun 2010 22:25:05 -0400
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We've been seeing the same thing since 2010-06-10:
22:13:19.687981 IP 72.236.167.197.41789 > 72.236.167.138.domain: 38783+ =
A? jkl.cnr.cn. (28)
22:13:19.773076 IP 72.236.167.124.33327 > 72.236.167.138.domain: 38783+ =
A? i10.aliimg.com. (32)
22:13:19.855750 IP 72.236.167.169.33381 > 72.236.167.138.domain: 38783+ =
A? www.vrp3d.com. (31)
22:13:19.941155 IP 72.236.167.200.33005 > 72.236.167.138.domain: 38783+ =
A? www.51seer.com. (32)
22:13:20.026342 IP 72.236.167.141.36652 > 72.236.167.138.domain: 38783+ =
A? img1.kaixin001.com.cn. (39)
22:13:20.102540 IP 72.236.167.188.39525 > 72.236.167.138.domain: 38783+ =
A? pic.kaixin001.com.cn. (38)
22:13:20.204403 IP 72.236.167.103.37838 > 72.236.167.138.domain: 38783+ =
A? pic.kaixin001.com. (35)
22:13:20.791201 IP 72.236.167.186.38958 > 72.236.167.138.domain: 38783+ =
A? pic1.kaixin001.com. (36)
22:13:20.876527 IP 72.236.167.121.33000 > 72.236.167.138.domain: 38783+ =
A? pic1.kaixin001.com.cn. (39)
22:13:20.971393 IP 72.236.167.203.33726 > 72.236.167.138.domain: 38783+ =
A? logo.kaixin001.com.cn. (39)
22:13:21.051831 IP 72.236.167.120.35298 > 72.236.167.138.domain: 38783+ =
A? qqtest.cdn20.com. (34)
22:13:21.132215 IP 72.236.167.196.34862 > 72.236.167.138.domain: 38783+ =
A? upload.elle.cn. (32)
22:13:21.218372 IP 72.236.167.116.35073 > 72.236.167.138.domain: 38783+ =
A? www.elle.cn. (29)
Spoofed, all with a TTL of 3. Given that all of the domains in question =
appear to have nameservers in common, I assumed someone was trying to =
make us participate in a DDoS attack, and started dropping all of the =
traffic.
On Jun 16, 2010, at 9:01 PM, Jon Lewis wrote:
> I just took a closer look at something odd I'd noticed several days =
ago. One of our DNS servers was sending crazy amounts of ARP requests =
for IPs in the /24 its main IP is in. What I've found is we're getting =
hit with DNS requests that look like they're from "typical internet =
traffic for someone in China" hitting this DNS server from IPs in its =
/24 which are currently not in use (at least on our local network). It =
would appear someone in China is using our IP space, presumably behind a =
NAT router, and they're leaking some traffic non-NAT'd.
>=20
> 20:53:41.361734 IP 209.208.121.66.41755 > 209.208.121.126.53: 15939+ =
A? ns5.z.lxdns.com. (33)
> 20:53:43.523210 IP 209.208.121.95.39393 > 209.208.121.126.53: 15939+ =
A? www.nanhutravel.com. (37)
> 20:53:48.411805 IP 209.208.121.66.33390 > 209.208.121.126.53: 15939+ =
A? test.csxm.cdn20.com. (37)
> 20:53:50.557680 IP 209.208.121.135.40056 > 209.208.121.126.53: 15939+ =
A? rextest2.lxdns.com. (36)
> 20:53:56.918993 IP 209.208.121.135.37291 > 209.208.121.126.53: 15939+ =
A? www.51seer.com. (32)
> 20:54:20.033902 IP 209.208.121.95.37544 > 209.208.121.126.53: 15939+ =
A? image.dhgate.cdn20.com. (40)
> 20:54:21.900295 IP 209.208.121.66.35144 > 209.208.121.126.53: 15939+ =
A? static.xn-app.com. (35)
> 20:54:27.711853 IP 209.208.121.66.33518 > 209.208.121.126.53: 15939+ =
A? oa.hanhe.com. (30)
> 20:54:29.642938 IP 209.208.121.135.41723 > 209.208.121.126.53: 15939+ =
A? pic1.kaixin001.com. (36)
> 20:54:32.357414 IP 209.208.121.95.38564 > 209.208.121.126.53: 15939+ =
A? rr.snyu.com. (29)
> 20:54:38.901315 IP 209.208.121.95.37840 > 209.208.121.126.53: 15939+ =
A? edu.163.com. (29)
> 20:54:39.807385 IP 209.208.121.95.36069 > 209.208.121.126.53: 15939+ =
A? image.dhgate.cdn20.com. (40)
> 20:54:40.833778 IP 209.208.121.66.34949 > 209.208.121.126.53: 15939+ =
A? uphn.snswall.com. (34)
> 20:54:42.070294 IP 209.208.121.95.38405 > 209.208.121.126.53: 15939+ =
A? zwgk.cma.gov.cn. (33)
> 20:54:42.189939 IP 209.208.121.135.36637 > 209.208.121.126.53: 15939+ =
A? btocdn.52yeyou.com. (36)
> 20:54:45.767299 IP 209.208.121.95.41405 > 209.208.121.126.53: 15939+ =
A? img1.kaixin001.com.cn. (39)
> 20:54:48.595582 IP 209.208.121.66.40099 > 209.208.121.126.53: 15939+ =
A? rextest2.cdn20.com. (36)
> 20:54:49.480147 IP 209.208.121.95.42363 > 209.208.121.126.53: 15939+ =
A? www.dameiren.com. (34)
> 20:54:50.714200 IP 209.208.121.135.41497 > 209.208.121.126.53: 15939+ =
A? pic1.kaixin001.com.cn. (39)
> 20:54:54.116841 IP 209.208.121.135.36828 > 209.208.121.126.53: 15939+ =
A? i.jstv.com. (28)
>=20
> I hope they got a good deal on the IP space...and a better deal on =
their buggy router.
>=20
> ----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>=20
