[169231] in North American Network Operators' Group
Re: random dns queries with random sources
daemon@ATHENA.MIT.EDU (Joe Maimon)
Wed Feb 19 01:29:04 2014
Date: Wed, 19 Feb 2014 01:28:38 -0500
From: Joe Maimon <jmaimon@ttec.com>
To: Owen DeLong <owen@delong.com>
In-Reply-To: <043E2776-2F76-427B-B46A-474777FFA711@delong.com>
Cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Owen DeLong wrote:
>
> On Feb 18, 2014, at 9:48 PM, Joe Maimon <jmaimon@ttec.com> wrote:
>
> This assumes several facts not in evidence:
>
> 1. It is an attack.
> 2. It is deliberate
> 3. There is a target
> 4. It is more effective than others
>
> On what do you base those assumptions? To me this looks to be far more likely to be someone’s wayward script, experiment, software, tool, etc. doing something it probably isn’t supposed to be doing.
I have found this occurring on unaffiliated open resolvers (that I
happen to support and that I was able to make the choice to close)
It has been ongoing for a week or so (but not constant). The domain
names have a pattern but are comprised of components that appear to be
randomly generated. The source IP addresses for the queries appear to be
non duplicated and randomly generated.
query logs are available for unicasting to the interested.
Has nobody else seen this?
>
> If it happens to also be gathering the answers or information that the author wants (or appears to be doing so), then the author may well be blissfully ignorant of its wayward behavior towards your servers.
>
> Owen
>
>
>
I would like to figure out how.
Joe
