[127634] in North American Network Operators' Group
DNS traffic sourced from my address space to myself.
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Jul 7 08:10:26 2010
From: Drew Weaver <drew.weaver@thenap.com>
To: "'nanog@nanog.org'" <nanog@nanog.org>
Date: Wed, 7 Jul 2010 08:07:07 -0400
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Howdy,
Recently I have been noticing a good amount of totally bogus DNS traffic co=
ming in on my transit links via my own IP addresses (spoofed).=20
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x=
.145.161(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x=
.146.74(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x=
.146.70(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x=
.146.57(0) -> x.x.145.235(0), 1 packet
There are multiple different instances of this traffic, the pattern seems t=
o be:
-The source is always 'my own IPs' and obviously spoofed.
-It's DNS traffic
-The "source addresses" all seem to be randomly chosen from the same /23 as=
the destination address (they cycle through randomly).
Has anyone else noticed anything similar coming in on their transit links o=
r am I just lucky?
Normally my iACL catches this but I've just been noticing more of it lately=
.
-Drew
