DNS traffic sourced from my address space to myself.

Jon Lewis jlewis at lewis.org
Wed Jul 7 07:25:39 CDT 2010


On Wed, 7 Jul 2010, Drew Weaver wrote:

> Recently I have been noticing a good amount of totally bogus DNS traffic coming in on my transit links via my own IP addresses (spoofed).
>
> SLOT 2:Jul  2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.145.161(0) -> x.x.145.235(0), 1 packet
> SLOT 2:Jul  2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.74(0) -> x.x.145.235(0), 1 packet
> SLOT 2:Jul  2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.70(0) -> x.x.145.235(0), 1 packet
> SLOT 2:Jul  2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.57(0) -> x.x.145.235(0), 1 packet
>
> There are multiple different instances of this traffic, the pattern seems to be:
>
> -The source is always 'my own IPs' and obviously spoofed.
> -It's DNS traffic
> -The "source addresses" all seem to be randomly chosen from the same /23 as the destination address (they cycle through randomly).
>
> Has anyone else noticed anything similar coming in on their transit links or am I just lucky?

I posted the same thing June 16, 2010.  Search for
Subject: Todd Underwood was a little late

If you can capture some of the traffic and see what the DNS requests are, 
that would let you see if its the same sort of issue I was seeing or 
something different.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list