Net-24 top prefix generating bogus RFC-1918 queries

John Brown jmbrown at chagresventures.com
Sun Jun 1 05:38:31 UTC 2003


Operators within Net-24 (typically Cable Operators) would
do good in setting up a AS112 anycasted DNS server within
their networks.

Cable modem users tyically NAT their connections to allow
multiple machines at home to be "online".  This causes 
local hosts to generate junk traffic towards the global 
internet when these machines query for or try DynaDNS
updates on RFC-1918 addresses.

In a 100,000 query sample (lasted for 30 seconds) we saw
768 unique Net-24 prefixes.  All of them had multiple 
queries within the sample period.

Looking at the raw data, we saw 7444 queries out of
100,000 queries from Net-24 prefixes.  

Given this, each Net-24 query, on average, asked for
info 10 times within the 30 sec sample window.

All of this is from a AS112 server located in NM that
is announcing the AS112 prefix towards our transit provider
AS 1239. 



If you are not aware of the AS112 project you should
look at :

http://www.as112.net  Site maintained by Paul Vixie


My setup tips page:
http://www.chagreslabs.net/jmbrown/research/as112/index.html




Based on a 1,000,000 query (2 min period of time) here are the
top 20 /8's that gen bogus queries for RFC-1918 related DNS
data.  

61637           24.0.0.0
51596           65.0.0.0
36974           216.0.0.0
32925           63.0.0.0
31503           66.0.0.0
31483           208.0.0.0
30760           217.0.0.0
25813           168.0.0.0
25538           151.0.0.0
25300           209.0.0.0
19862           200.0.0.0
19375           68.0.0.0
17568           207.0.0.0
17303           80.0.0.0
16585           141.0.0.0
13831           64.0.0.0
11652           206.0.0.0
10295           204.0.0.0
10016           205.0.0.0
7795            218.0.0.0
6666            202.0.0.0




More information about the NANOG mailing list