What are these Google IPs hammering on my DNS server?
Tom Samplonius
tom at samplonius.org
Sun Dec 3 18:59:16 UTC 2023
They are probably spoofed IPs. So those are the target IP IPs of a DDoS
What king of amplification factor does your DNS server have? I bet with the changes you’ve made, it’s super high. People are looking for DNS servers like that.
Tom
> On Dec 3, 2023, at 10:49 AM, John Levine <johnl at iecc.com> wrote:
>
> At contacts.abuse.net, I have a little stunt DNS server that provides domain contact info, e.g.:
>
> $ host -t txt comcast.net.contacts.abuse.net
> comcast.net.contacts.abuse.net descriptive text "abuse at comcast.net"
>
> $ host -t hinfo comcast.net.contacts.abuse.net
> comcast.net.contacts.abuse.net host information "lookup" "comcast.net"
>
> Every once in a while someone decides to look up every domain in the
> world and DoS'es it until I update my packet filters. This week it's
> been this set of IPs that belong to Google. I don't think they're
> 8.8.8.8. Any idea what they are? Random Google Cloud customers? A
> secret DNS mapping project?
>
> 172.253.1.133
> 172.253.206.36
> 172.253.1.130
> 172.253.206.37
> 172.253.13.196
> 172.253.255.36
> 172.253.13.197
> 172.253.1.131
> 172.253.255.35
> 172.253.255.37
> 172.253.1.132
> 172.253.13.193
> 172.253.1.129
> 172.253.255.33
> 172.253.206.35
> 172.253.255.34
> 172.253.206.33
> 172.253.206.34
> 172.253.13.194
> 172.253.13.195
> 172.71.125.63
> 172.71.117.60
> 172.71.133.51
>
> R's,
> John
More information about the NANOG
mailing list