[57026] in North American Network Operators' Group
RE: Odd DNS Traffic
daemon@ATHENA.MIT.EDU (McBurnett, Jim)
Wed Mar 26 17:24:41 2003
Date: Wed, 26 Mar 2003 17:24:05 -0500
From: "McBurnett, Jim" <jmcburnett@msmgmt.com>
To: "Support Team" <support@snworks.com>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Michael,
Do you have a packet sniff of the traffic?
Possibly a sniff of at least 10000 packets?
HMMM..
I have seen some increase at our Corp DNS, but not that much...
drop me a note offlist with the sniff.. I would like to look at this..
Jim
> -----Original Message-----
> From: Support Team [mailto:support@snworks.com]
> Sent: Wednesday, March 26, 2003 4:01 PM
> To: nanog@merit.edu
> Subject: Odd DNS Traffic
>=20
>=20
>=20
> First I would like to note I am new to the list and group. =20
> It's nice to
> be here.
>=20
> Second, since Monday, March 24th at approx 1am we have been suffering
> from "odd" DNS traffic to our two primary DNS servers. The=20
> odd traffic
> has increased our bandwidth utilization by about 20 Mbps, which is
> obviously putting a hurting on our network and our DNS servers.
>=20
> I know this must also be affecting other networks, and if anything the
> root servers. If anyone has any suggestions, etc, they would be much
> appreciated.
>=20
> Thank you,
> Michael Mannella
> Support Team
> Synergy Networks, Inc.
>=20
> Here are the symptoms:
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> The odd traffic started with the root servers, namely
> (a-m).gtld-servers.net . Most of the traffic is still coming=20
> from them,
> but other servers have also started sending us this odd traffic.
>=20
> We have 3 dns servers, only two are being affected, they are=20
> our Primary
> and Secondary servers that are listed with Network Solutions.=20
> The third
> server (that is not being affected) is not listed with NetSol=20
> and has no
> DNS records setup in it. It is strictly being used for lookups.
>=20
> The odd traffic is listed as a "DNS Spoof attempt" on our firewall.
>=20
> The odd traffic looks like this:
>=20
> Rcv 192.48.79.30 0cbb R Q [0084 A NOERROR]
> (8)=CE=D2=B5=C4=B5=E7=BB=B0(3)COM(0)
> UDP response info at 01ADC8BC
> Socket =3D 380
> Remote addr 192.48.79.30, port 53
> Time Query=3D147367, Queued=3D0, Expire=3D0
> Buf length =3D 0x0200 (512)
> Msg length =3D 0x010e (270)
> Message:
> XID 0x0cbb
> Flags 0x8400
> QR 1 (response)
> OPCODE 0 (QUERY)
> AA 1
> TC 0
> RD 0
> RA 0
> Z 0
> RCODE 0 (NOERROR)
> QCOUNT 0x1
> ACOUNT 0x1
> NSCOUNT 0xd
> ARCOUNT 0x0
> Offset =3D 0x000c, RR count =3D 0
> Name "(8)=CE=D2=B5=C4=B5=E7=BB=B0(3)COM(0)"
> QTYPE A (1)
> QCLASS 1
> ANSWER SECTION:
> Offset =3D 0x001e, RR count =3D 0
> Name "[C00C](8)=CE=D2=B5=C4=B5=E7=BB=B0(3)COM(0)"
> TYPE A (1)
> CLASS 1
> TTL 300
> DLEN 4
> DATA 198.41.1.35
> AUTHORITY SECTION:
> Offset =3D 0x002e, RR count =3D 0
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 20
> DATA (1)g(12)gtld-servers(3)net(0)
> Offset =3D 0x004e, RR count =3D 1
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)h[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x005e, RR count =3D 2
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)d[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x006e, RR count =3D 3
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)j[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x007e, RR count =3D 4
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)i[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x008e, RR count =3D 5
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)l[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x009e, RR count =3D 6
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)b[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x00ae, RR count =3D 7
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)e[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x00be, RR count =3D 8
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)a[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x00ce, RR count =3D 9
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)k[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x00de, RR count =3D 10
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)f[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x00ee, RR count =3D 11
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)c[C03C](12)gtld-servers(3)net(0)
> Offset =3D 0x00fe, RR count =3D 12
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)m[C03C](12)gtld-servers(3)net(0)
> ADDITIONAL SECTION:
>=20
> The DNS server encountered an invalid domain name in a packet from
> 192.48.79.30. The packet is
> rejected.
>=20
>=20
