What are these Google IPs hammering on my DNS server?
John R. Levine
johnl at iecc.com
Sun Dec 3 19:07:35 UTC 2023
> They are probably spoofed IPs. So those are the target IP IPs of a DDoS
>
> What king of amplification factor does your DNS server have? I bet with the changes you’ve made, it’s super high. People are looking for DNS servers like that.
On the contrary, the reponse packets are tiny.
>> $ host -t txt comcast.net.contacts.abuse.net
>> comcast.net.contacts.abuse.net descriptive text "abuse at comcast.net"
>>
>> $ host -t hinfo comcast.net.contacts.abuse.net
>> comcast.net.contacts.abuse.net host information "lookup" "comcast.net"
Those reply packets are 108 and 109 bytes, no addditional section, no
DNSSSEC, no nothing.
Any other ideas? One clue is that the queries have random capitalization
which would be consistent with them really coming from Google.
>> Every once in a while someone decides to look up every domain in the
>> world and DoS'es it until I update my packet filters. This week it's
>> been this set of IPs that belong to Google. I don't think they're
>> 8.8.8.8. Any idea what they are? Random Google Cloud customers? A
>> secret DNS mapping project?
>>
>> 172.253.1.133
>> 172.253.206.36
>> 172.253.1.130
>> 172.253.206.37
>> 172.253.13.196
>> 172.253.255.36
>> 172.253.13.197
>> 172.253.1.131
>> 172.253.255.35
>> 172.253.255.37
>> 172.253.1.132
>> 172.253.13.193
>> 172.253.1.129
>> 172.253.255.33
>> 172.253.206.35
>> 172.253.255.34
>> 172.253.206.33
>> 172.253.206.34
>> 172.253.13.194
>> 172.253.13.195
>> 172.71.125.63
>> 172.71.117.60
>> 172.71.133.51
More information about the NANOG
mailing list