Large number of DNS probes in last 24 hours

Michael Still mikal at stillhq.com
Mon Jun 2 17:36:54 CDT 2008


Jim Wise wrote:
> On Fri, 30 May 2008, Michael Still wrote:

>> I have seen PlanetLab experiments doing this. What are the originating
>> IP addresses?
> 
> Three observed source addresses
> 
> 	208.78.169.237
> 	204.11.51.62
> 	194.199.24.101
> 
> Source ports are high and non-repeating.  Other than the domain root, 
> A-record queries for "google.com" and for hostnames which appear to be 
> on the same subnet as the querying host.

Hmmm. All the PlanetLab nodes should have valid reverse DNS, which isn't
the case here, so I guess it is something more malicious.

Mikal




More information about the NANOG mailing list