[46977] in North American Network Operators' Group
Re: is your host or dhcp server sending dns dynamic updates for rfc1918?
daemon@ATHENA.MIT.EDU (Mike Parson)
Fri Apr 19 15:22:13 2002
Date: Fri, 19 Apr 2002 14:21:40 -0500
From: Mike Parson <mparson@bl.org>
To: nanog@merit.edu
Message-ID: <20020419142140.A16397@ultra.bl.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020418235759.87A1928B6E@as.vix.com>; from paul@vix.com on Thu, Apr 18, 2002 at 04:57:59PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Apr 18, 2002 at 04:57:59PM -0700, Paul Vixie wrote:
<snip>
> what these files are is a whole lot of lines that look like (broken by me):
>
> 18-Apr-2002 16:16:05.491 security: notice: \
> denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN
>
> by "a whole lot" i mean we've logged 3.3M of these in the last four hours.
I saw similar behavior on my little box (ns.bl.org) about a year or so ago,
logs have long since rotated out, so I don't recall exactly when, but there
was an IP somewhere in S. America trying to do a dyn update, something like
one attempt every two seconds.
I emailed the ISP, didn't get anything back, so I set up a black-hole
in BIND and stuck that /24 in it. A few days later, it was back,
from a different /24, but in the same /16, so I blackholed the /16.
Then again, from another /16, but the same ISP, so I blackholed it.
Haven't seen anything in a long time.
--
Michael Parson
mparson@bl.org
