DNS "attack"

Mark Kent mark at noc.mainstreet.net
Sun Aug 25 20:16:44 UTC 2002


FYI,

I'm seeing a lot of DNS lookups for all the three letter domain names
for which we are listed as authoritative (we have five).  

The requests look like this:

req: nlookup(foo.com) id 64450 type=255 class=255

 212.100.232.17.domain > myserver.domain:  31881+ ANY ANY? foo.com. (25)
                         4500 0035 1e38 0000 ed11 e20a d464 e811
                         c7f5 4909 0035 0035 0021 0000 7c89 0100
                         0001 0000 0000 0000 0365 6f73 0363 6f6d
                         0000 ff00 ff

We get about 400 requests per minute, per "attacking" machine,
per authoritative name server, per domain.  

This happened on July 25 with these two sources:

194.186.87.197
130.94.23.70

and today, August 25, with this source:

212.100.232.17

Clearly, this is not a problem right now.  But if the
number of attacking machines grows, then any machine that
serves many three-letter domain names might notice.

And who knows, maybe the cretins will get creative and move
to four letter domains!

Just FYI,
-mark

P.S.  I mentioned the two dates above (7/25, 8/25) purely for
      entertainment purposes.  Consistent with the NY Times
      article last weekend about putting too much weight in 
      events that are merely coincidences, I don't mean to imply
      that there is a "25th of the month" conspiracy afoot.


      



More information about the NANOG mailing list