[169220] in North American Network Operators' Group
Re: random dns queries with random sources
daemon@ATHENA.MIT.EDU (Doug Barton)
Tue Feb 18 23:25:58 2014
Date: Tue, 18 Feb 2014 20:25:35 -0800
From: Doug Barton <dougb@dougbarton.us>
To: nanog@nanog.org
In-Reply-To: <53042C39.5020303@ttec.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 02/18/2014 07:59 PM, Joe Maimon wrote:
>
>
> Doug Barton wrote:
>> On 02/18/2014 07:08 PM, Joe Maimon wrote:
>>> Thousand of queries with thousands of source ip addresses.
>>
>> Pardon if I missed a memo, but how are your resolver systems receiving
>> these thousands of very different source addresses?
>>
>> Doug
>>
>>
>
> Thousands of queries _from_ thousands of source ip addresses
>
> likely they are spoofed
Yes, got that bit. :) What I'm asking is, why are spoofed queries
hitting your "different resolvers, routers with proxy turned on, etc.?"
Are you running open resolvers? If so, please stop doing that, it's
widely known to be a bad idea for over a decade now, and you are
providing the bad guys a tool to use for DDOS attacks.
If it's something else, please speak up. Regardless of the goal of this
particular issue, the way to solve the root problem is to prevent the
spoofed packets from getting to your servers in the first place.
Doug
