Todd Underwood was a little late

Paul Timmins paul at telcodata.us
Thu Jun 17 13:12:57 CDT 2010


Hah, given the number of times people I have worked with have said "oh, 
I'll just use apnic space if we run out of IPs, i don't need to talk to 
them anyway", I think it's humorous that someone in China felt the same 
way about ARIN space. :)

-Paul

On 06/16/2010 09:01 PM, Jon Lewis wrote:
> I just took a closer look at something odd I'd noticed several days 
> ago. One of our DNS servers was sending crazy amounts of ARP requests 
> for IPs in the /24 its main IP is in.  What I've found is we're 
> getting hit with DNS requests that look like they're from "typical 
> internet traffic for someone in China" hitting this DNS server from 
> IPs in its /24 which are currently not in use (at least on our local 
> network).  It would appear someone in China is using our IP space, 
> presumably behind a NAT router, and they're leaking some traffic 
> non-NAT'd.
>
> 20:53:41.361734 IP 209.208.121.66.41755 > 209.208.121.126.53:  15939+ 
> A? ns5.z.lxdns.com. (33)
> 20:53:43.523210 IP 209.208.121.95.39393 > 209.208.121.126.53:  15939+ 
> A? www.nanhutravel.com. (37)
> 20:53:48.411805 IP 209.208.121.66.33390 > 209.208.121.126.53:  15939+ 
> A? test.csxm.cdn20.com. (37)
> 20:53:50.557680 IP 209.208.121.135.40056 > 209.208.121.126.53:  15939+ 
> A? rextest2.lxdns.com. (36)
> 20:53:56.918993 IP 209.208.121.135.37291 > 209.208.121.126.53:  15939+ 
> A? www.51seer.com. (32)
> 20:54:20.033902 IP 209.208.121.95.37544 > 209.208.121.126.53:  15939+ 
> A? image.dhgate.cdn20.com. (40)
> 20:54:21.900295 IP 209.208.121.66.35144 > 209.208.121.126.53:  15939+ 
> A? static.xn-app.com. (35)
> 20:54:27.711853 IP 209.208.121.66.33518 > 209.208.121.126.53:  15939+ 
> A? oa.hanhe.com. (30)
> 20:54:29.642938 IP 209.208.121.135.41723 > 209.208.121.126.53:  15939+ 
> A? pic1.kaixin001.com. (36)
> 20:54:32.357414 IP 209.208.121.95.38564 > 209.208.121.126.53:  15939+ 
> A? rr.snyu.com. (29)
> 20:54:38.901315 IP 209.208.121.95.37840 > 209.208.121.126.53:  15939+ 
> A? edu.163.com. (29)
> 20:54:39.807385 IP 209.208.121.95.36069 > 209.208.121.126.53:  15939+ 
> A? image.dhgate.cdn20.com. (40)
> 20:54:40.833778 IP 209.208.121.66.34949 > 209.208.121.126.53:  15939+ 
> A? uphn.snswall.com. (34)
> 20:54:42.070294 IP 209.208.121.95.38405 > 209.208.121.126.53:  15939+ 
> A? zwgk.cma.gov.cn. (33)
> 20:54:42.189939 IP 209.208.121.135.36637 > 209.208.121.126.53:  15939+ 
> A? btocdn.52yeyou.com. (36)
> 20:54:45.767299 IP 209.208.121.95.41405 > 209.208.121.126.53:  15939+ 
> A? img1.kaixin001.com.cn. (39)
> 20:54:48.595582 IP 209.208.121.66.40099 > 209.208.121.126.53:  15939+ 
> A? rextest2.cdn20.com. (36)
> 20:54:49.480147 IP 209.208.121.95.42363 > 209.208.121.126.53:  15939+ 
> A? www.dameiren.com. (34)
> 20:54:50.714200 IP 209.208.121.135.41497 > 209.208.121.126.53:  15939+ 
> A? pic1.kaixin001.com.cn. (39)
> 20:54:54.116841 IP 209.208.121.135.36828 > 209.208.121.126.53:  15939+ 
> A? i.jstv.com. (28)
>
> I hope they got a good deal on the IP space...and a better deal on 
> their buggy router.
>
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
>







More information about the NANOG mailing list