[127637] in North American Network Operators' Group
Re: DNS traffic sourced from my address space to myself.
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Wed Jul 7 12:27:23 2010
Date: Wed, 7 Jul 2010 16:26:41 +0000
From: bmanning@vacation.karoshi.com
To: Drew Weaver <drew.weaver@thenap.com>
In-Reply-To: <F3318834F1F89D46857972DD4B411D7001922AB228@EXCHANGE.thenap.com>
Cc: "'nanog@nanog.org'" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jul 07, 2010 at 08:07:07AM -0400, Drew Weaver wrote:
> Howdy,
>
> Recently I have been noticing a good amount of totally bogus DNS traffic coming in on my transit links via my own IP addresses (spoofed).
>
> SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.145.161(0) -> x.x.145.235(0), 1 packet
> SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.74(0) -> x.x.145.235(0), 1 packet
> SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.70(0) -> x.x.145.235(0), 1 packet
> SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.57(0) -> x.x.145.235(0), 1 packet
>
> There are multiple different instances of this traffic, the pattern seems to be:
>
> -The source is always 'my own IPs' and obviously spoofed.
> -It's DNS traffic
> -The "source addresses" all seem to be randomly chosen from the same /23 as the destination address (they cycle through randomly).
>
> Has anyone else noticed anything similar coming in on their transit links or am I just lucky?
>
> Normally my iACL catches this but I've just been noticing more of it lately.
>
> -Drew
>
>
Yeah... I've seen this type of behaviour w/ folks picking random source addresses
from the IPv6 /32... Sure wish I could announce something smaller.
--bill
