Unusual IN ANY DNS Traffic

Douglas E. Warner dwarner at ctinetworks.com
Tue May 10 15:22:16 UTC 2005


Since about 03:00 UTC this morning I've been seeing a huge increase in "IN 
ANY" requests for "msn.com.".  While my name servers have not seen much, if 
any, "IN ANY" queries in the past, now I'm seeing ~ 50 queries/second.  I'll 
include a tcpdump sample below.
Actually, while I was writing this post the queries seem to have stopped 
(15:05 UTC).
Is this typical of a botnet or some worm propogating?  Any experience in this 
type of traffic would be very much appreciated.

-Doug

==== tcpdump - times in EDT ====

# tcpdump -nn dst port 53 | grep 'ANY'
tcpdump: listening on eth0
10:27:16.748561 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  6+ ANY? msn.com. (25) 
(DF)
10:27:16.751724 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  15+ ANY? msn.com. (25) 
(DF)
10:27:16.758276 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  16+ ANY? msn.com. (25) 
(DF)
10:27:16.758440 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  3+ ANY? msn.com. (25) 
(DF)
10:27:16.758443 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  10+ ANY? msn.com. (25) 
(DF)
10:27:16.759799 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  16+ ANY? msn.com. (25) 
(DF)
10:27:16.761228 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  10+ ANY? msn.com. (25) 
(DF)
10:27:16.762209 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  6+ ANY? msn.com. (25) 
(DF)
10:27:16.764992 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  7+ ANY? msn.com. (25) 
(DF)
10:27:16.765981 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  16+ ANY? msn.com. (25) 
(DF)
10:27:16.766676 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  6+ ANY? msn.com. (25) 
(DF)
10:27:16.766798 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53:  8+ ANY? msn.com. (25) 
(DF)

-- 
Douglas E. Warner    <dwarner at ctinetworks.com>     Network Engineer
CTI Networks, Inc.   http://www.ctinetworks.com    +1 717 975 9000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050510/1fe9be1f/attachment.sig>


More information about the NANOG mailing list