[80704] in North American Network Operators' Group
Unusual IN ANY DNS Traffic
daemon@ATHENA.MIT.EDU (Douglas E. Warner)
Tue May 10 11:22:54 2005
From: "Douglas E. Warner" <dwarner@ctinetworks.com>
To: nanog@merit.edu
Date: Tue, 10 May 2005 11:22:16 -0400
Errors-To: owner-nanog@merit.edu
--nextPart5327046.HgmnzRGFLd
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Since about 03:00 UTC this morning I've been seeing a huge increase in "IN=
=20
ANY" requests for "msn.com.". While my name servers have not seen much, if=
=20
any, "IN ANY" queries in the past, now I'm seeing ~ 50 queries/second. I'l=
l=20
include a tcpdump sample below.
Actually, while I was writing this post the queries seem to have stopped=20
(15:05 UTC).
Is this typical of a botnet or some worm propogating? Any experience in th=
is=20
type of traffic would be very much appreciated.
=2DDoug
=3D=3D=3D=3D tcpdump - times in EDT =3D=3D=3D=3D
# tcpdump -nn dst port 53 | grep 'ANY'
tcpdump: listening on eth0
10:27:16.748561 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (2=
5)=20
(DF)
10:27:16.751724 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 15+ ANY? msn.com. (=
25)=20
(DF)
10:27:16.758276 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (=
25)=20
(DF)
10:27:16.758440 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 3+ ANY? msn.com. (2=
5)=20
(DF)
10:27:16.758443 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 10+ ANY? msn.com. (=
25)=20
(DF)
10:27:16.759799 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (=
25)=20
(DF)
10:27:16.761228 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 10+ ANY? msn.com. (=
25)=20
(DF)
10:27:16.762209 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (2=
5)=20
(DF)
10:27:16.764992 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 7+ ANY? msn.com. (2=
5)=20
(DF)
10:27:16.765981 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (=
25)=20
(DF)
10:27:16.766676 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (2=
5)=20
(DF)
10:27:16.766798 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 8+ ANY? msn.com. (2=
5)=20
(DF)
=2D-=20
Douglas E. Warner <dwarner@ctinetworks.com> Network Engineer
CTI Networks, Inc. http://www.ctinetworks.com +1 717 975 9000
--nextPart5327046.HgmnzRGFLd
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQBCgNGoJV36su0A0xIRAvNXAKCshNxaIVQqHj03AWCwtl2dJcMuVQCg9CSc
lVAV6WI5z+aEP9mh7zAY0lo=
=SpSE
-----END PGP SIGNATURE-----
--nextPart5327046.HgmnzRGFLd--