Odd DNS Traffic
McBurnett, Jim
jmcburnett at msmgmt.com
Wed Mar 26 22:24:05 UTC 2003
Michael,
Do you have a packet sniff of the traffic?
Possibly a sniff of at least 10000 packets?
HMMM..
I have seen some increase at our Corp DNS, but not that much...
drop me a note offlist with the sniff.. I would like to look at this..
Jim
> -----Original Message-----
> From: Support Team [mailto:support at snworks.com]
> Sent: Wednesday, March 26, 2003 4:01 PM
> To: nanog at merit.edu
> Subject: Odd DNS Traffic
>
>
>
> First I would like to note I am new to the list and group.
> It's nice to
> be here.
>
> Second, since Monday, March 24th at approx 1am we have been suffering
> from "odd" DNS traffic to our two primary DNS servers. The
> odd traffic
> has increased our bandwidth utilization by about 20 Mbps, which is
> obviously putting a hurting on our network and our DNS servers.
>
> I know this must also be affecting other networks, and if anything the
> root servers. If anyone has any suggestions, etc, they would be much
> appreciated.
>
> Thank you,
> Michael Mannella
> Support Team
> Synergy Networks, Inc.
>
> Here are the symptoms:
> ============================================
>
> The odd traffic started with the root servers, namely
> (a-m).gtld-servers.net . Most of the traffic is still coming
> from them,
> but other servers have also started sending us this odd traffic.
>
> We have 3 dns servers, only two are being affected, they are
> our Primary
> and Secondary servers that are listed with Network Solutions.
> The third
> server (that is not being affected) is not listed with NetSol
> and has no
> DNS records setup in it. It is strictly being used for lookups.
>
> The odd traffic is listed as a "DNS Spoof attempt" on our firewall.
>
> The odd traffic looks like this:
>
> Rcv 192.48.79.30 0cbb R Q [0084 A NOERROR]
> (8)Îҵĵ绰(3)COM(0)
> UDP response info at 01ADC8BC
> Socket = 380
> Remote addr 192.48.79.30, port 53
> Time Query=147367, Queued=0, Expire=0
> Buf length = 0x0200 (512)
> Msg length = 0x010e (270)
> Message:
> XID 0x0cbb
> Flags 0x8400
> QR 1 (response)
> OPCODE 0 (QUERY)
> AA 1
> TC 0
> RD 0
> RA 0
> Z 0
> RCODE 0 (NOERROR)
> QCOUNT 0x1
> ACOUNT 0x1
> NSCOUNT 0xd
> ARCOUNT 0x0
> Offset = 0x000c, RR count = 0
> Name "(8)Îҵĵ绰(3)COM(0)"
> QTYPE A (1)
> QCLASS 1
> ANSWER SECTION:
> Offset = 0x001e, RR count = 0
> Name "[C00C](8)Îҵĵ绰(3)COM(0)"
> TYPE A (1)
> CLASS 1
> TTL 300
> DLEN 4
> DATA 198.41.1.35
> AUTHORITY SECTION:
> Offset = 0x002e, RR count = 0
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 20
> DATA (1)g(12)gtld-servers(3)net(0)
> Offset = 0x004e, RR count = 1
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)h[C03C](12)gtld-servers(3)net(0)
> Offset = 0x005e, RR count = 2
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)d[C03C](12)gtld-servers(3)net(0)
> Offset = 0x006e, RR count = 3
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)j[C03C](12)gtld-servers(3)net(0)
> Offset = 0x007e, RR count = 4
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)i[C03C](12)gtld-servers(3)net(0)
> Offset = 0x008e, RR count = 5
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)l[C03C](12)gtld-servers(3)net(0)
> Offset = 0x009e, RR count = 6
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)b[C03C](12)gtld-servers(3)net(0)
> Offset = 0x00ae, RR count = 7
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)e[C03C](12)gtld-servers(3)net(0)
> Offset = 0x00be, RR count = 8
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)a[C03C](12)gtld-servers(3)net(0)
> Offset = 0x00ce, RR count = 9
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)k[C03C](12)gtld-servers(3)net(0)
> Offset = 0x00de, RR count = 10
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)f[C03C](12)gtld-servers(3)net(0)
> Offset = 0x00ee, RR count = 11
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)c[C03C](12)gtld-servers(3)net(0)
> Offset = 0x00fe, RR count = 12
> Name "[C015](3)COM(0)"
> TYPE NS (2)
> CLASS 1
> TTL 172800
> DLEN 4
> DATA (1)m[C03C](12)gtld-servers(3)net(0)
> ADDITIONAL SECTION:
>
> The DNS server encountered an invalid domain name in a packet from
> 192.48.79.30. The packet is
> rejected.
>
>
More information about the NANOG
mailing list