[80792] in North American Network Operators' Group
Re: Malicious DNS request?
daemon@ATHENA.MIT.EDU (Gadi Evron)
Thu May 12 05:44:09 2005
Date: Thu, 12 May 2005 12:41:12 +0400
From: Gadi Evron <ge@linuxbox.org>
To: Joe Shen <joe_hznm@yahoo.com.sg>
Cc: NANGO <nanog@merit.edu>
In-Reply-To: <20050512081135.52153.qmail@web53609.mail.yahoo.com>
Errors-To: owner-nanog@merit.edu
Joe Shen wrote:
> Hi,
>
> In past days I noticed the nxdomain statistics in
> named.stats keeps increasing.( I run it every 5 min)
>
> By tcpdump, it's found a remote computer keep asking
> address for record like
> 999d38e693b9e6293b450.0existence.com,
> 60d38e693b9e6293b450.0be6c1xfa.net.
>
> is that a virus affacted computer?
>
> How could such request be filtered or minimize its
> affaction on DNS server?
Either this is a DDoS (woohoo!! I used the forbidden word) or you are
seeing a botnet trying to connect and putting in some smoke-screen while
at it to try and poison dns-top.
I'd suggest dropping requests for domains you don't hold.
Gadi.
