[80707] in North American Network Operators' Group
Re: Unusual IN ANY DNS Traffic
daemon@ATHENA.MIT.EDU (Duane Wessels)
Tue May 10 12:14:57 2005
Date: Tue, 10 May 2005 10:14:28 -0600 (MDT)
From: Duane Wessels <cee4@packet-pushers.com>
To: "Douglas E. Warner" <dwarner@ctinetworks.com>
Cc: nanog@merit.edu
In-Reply-To: <200505101122.16873.dwarner@ctinetworks.com>
Errors-To: owner-nanog@merit.edu
On Tue, 10 May 2005, Douglas E. Warner wrote:
> Since about 03:00 UTC this morning I've been seeing a huge increase in "IN
> ANY" requests for "msn.com.". While my name servers have not seen much, if
> any, "IN ANY" queries in the past, now I'm seeing ~ 50 queries/second. I'll
> include a tcpdump sample below.
> Actually, while I was writing this post the queries seem to have stopped
> (15:05 UTC).
> Is this typical of a botnet or some worm propogating? Any experience in this
> type of traffic would be very much appreciated.
One thing I've noticed that likes to generate ANY queries is Qmail...
Duane W.
