isprime DOS in progress
Andrew Fried
andrew.fried at gmail.com
Sun Jan 25 05:54:07 UTC 2009
I extracted all logs from one of my dns servers that reflected an
"'./NS/IN' denied" message, pumped them into a database and ran a few
queries.
The first query shows the number of "denied" messages on my dns server,
sorted by date. The amount of traffic definitely picked up on January 21st:
+-------------+-------------+
| date | count(date) |
+-------------+-------------+
| 03-Jan-2009 | 20 |
| 04-Jan-2009 | 173 |
| 05-Jan-2009 | 407 |
| 06-Jan-2009 | 6429 |
| 07-Jan-2009 | 6391 |
| 08-Jan-2009 | 1421 |
| 09-Jan-2009 | 398 |
| 10-Jan-2009 | 402 |
| 11-Jan-2009 | 257 |
| 12-Jan-2009 | 174 |
| 13-Jan-2009 | 168 |
| 14-Jan-2009 | 451 |
| 15-Jan-2009 | 959 |
| 16-Jan-2009 | 31410 |
| 17-Jan-2009 | 79418 |
| 18-Jan-2009 | 64788 |
| 19-Jan-2009 | 90391 |
| 20-Jan-2009 | 71683 |
| 21-Jan-2009 | 104413 |
| 22-Jan-2009 | 104344 |
| 23-Jan-2009 | 105686 |
| 24-Jan-2009 | 105853 |
| 25-Jan-2009 | 1757 |
+-------------+-------------+
This report shows the number of queries grouped by host IP:
+-----------------+-------------+
| host | count(host) |
+-----------------+-------------+
| 10.168.69.6 | 1059 |
| 123.127.121.245 | 528 |
| 202.106.83.125 | 530 |
| 203.121.29.11 | 426 |
| 203.121.29.12 | 402 |
| 206.71.158.30 | 45047 |
| 209.123.8.64 | 361 |
| 209.123.8.99 | 617 |
| 211.72.249.201 | 786 |
| 211.95.81.245 | 530 |
| 213.61.92.192 | 863 |
| 216.201.82.19 | 4548 |
| 216.201.83.2 | 3411 |
| 216.240.131.173 | 1081 |
| 219.142.91.125 | 530 |
| 220.181.168.251 | 451 |
| 58.26.5.43 | 426 |
| 58.26.5.44 | 367 |
| 60.247.99.245 | 530 |
| 61.129.61.245 | 5 |
| 63.217.28.226 | 130907 |
| 66.230.128.15 | 123551 |
| 66.230.160.1 | 176558 |
| 66.238.93.161 | 789 |
| 69.31.52.214 | 15 |
| 69.50.137.175 | 22068 |
| 69.50.142.11 | 114048 |
| 69.50.142.110 | 15483 |
| 74.86.34.144 | 1188 |
| 76.9.16.171 | 57275 |
| 76.9.31.42 | 72669 |
| 91.199.112.18 | 344 |
+-----------------+-------------+
And finally, I looked at all log entries reflecting the host ip
'206.71.158.30'. The first time my dns server logged that IP address
was on January 24th:
+-------------+-------------+
| date | count(date) |
+-------------+-------------+
| 24-Jan-2009 | 43441 |
| 25-Jan-2009 | 1606 |
+-------------+-------------+
Finally, when I focused strictly on logs from January 24th, 5 hosts came up:
+---------------+-------------+
| host | count(host) |
+---------------+-------------+
| 10.168.69.6 | 51 |
| 206.71.158.30 | 43441 |
| 63.217.28.226 | 57955 |
| 66.230.160.1 | 4014 |
| 76.9.16.171 | 392 |
+---------------+-------------+
A tail end of the logs related to 206.71.158.30 indicate queries
originating, on average, about one second apart:
| 25-Jan-2009 | 00:22:58.644 | 206.71.158.30 |
| 25-Jan-2009 | 00:22:59.056 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.565 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.643 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:00.949 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:02.640 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:04.330 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:04.639 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:05.283 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:06.646 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:06.792 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:07.176 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:08.653 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:10.556 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:10.653 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:11.509 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:12.652 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:13.018 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:13.402 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:14.656 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:16.665 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:16.783 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:17.736 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:18.666 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:19.245 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:19.629 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:20.662 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:22.658 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:23.010 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:23.963 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:24.665 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:25.472 | 206.71.158.30 |
| 25-Jan-2009 | 00:23:25.856 | 206.71.158.30 |
+-------------+--------------+---------------+
Andrew
Brian Keefer wrote:
>
>
> On Jan 23, 2009, at 12:20 PM, Luke Sheldrick wrote:
>
>> Looks to me like the target has moved, anyone else seeing similar?
>
> It's switched again. The new target is 206.71.158.30 .
>
> Over night it cycled through several different IPs (testing the
> waters?), and finally started on this one around 10:26 Pacific time
> this morning.
>
> Timeline below.
>
> --
> bk
>
> Jan 23 23:24:47 imhotep named[32762]: client 63.217.28.226#53: view
> ext: query (cache) './NS/IN' denied
> Jan 24 00:51:11 imhotep named[32762]: client 208.78.169.236#33027:
> view ext: query (cache) './NS/IN' denied
> Jan 24 00:51:11 imhotep last message repeated 2 times
> Jan 24 00:51:11 imhotep named[32762]: client 204.11.51.60#32831: view
> ext: query (cache) './NS/IN' denied
> Jan 24 00:51:11 imhotep last message repeated 2 times
> Jan 24 00:51:30 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 00:51:30 imhotep last message repeated 2 times
> Jan 24 01:54:44 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 01:54:44 imhotep last message repeated 2 times
> Jan 24 01:55:44 imhotep named[32762]: client 204.11.51.60#32831: view
> ext: query (cache) './NS/IN' denied
> Jan 24 01:55:44 imhotep last message repeated 2 times
> Jan 24 01:57:46 imhotep named[32762]: client 208.78.169.235#46265:
> view ext: query (cache) './NS/IN' denied
> Jan 24 01:57:46 imhotep last message repeated 2 times
> Jan 24 02:58:29 imhotep named[32762]: client 208.37.177.62#46265: view
> ext: query (cache) './NS/IN' denied
> Jan 24 02:58:30 imhotep last message repeated 2 times
> Jan 24 03:00:34 imhotep named[32762]: client 204.11.51.60#32831: view
> ext: query (cache) './NS/IN' denied
> Jan 24 03:00:35 imhotep last message repeated 2 times
> Jan 24 03:05:05 imhotep named[32762]: client 208.78.169.236#33027:
> view ext: query (cache) './NS/IN' denied
> Jan 24 03:05:05 imhotep last message repeated 2 times
> Jan 24 03:07:49 imhotep named[32762]: client 63.217.28.226#53: view
> ext: query (cache) './NS/IN' denied
> Jan 24 04:02:38 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 04:02:38 imhotep last message repeated 2 times
> Jan 24 04:05:43 imhotep named[32762]: client 204.11.51.59#32802: view
> ext: query (cache) './NS/IN' denied
> Jan 24 04:05:43 imhotep last message repeated 2 times
> Jan 24 04:12:52 imhotep named[32762]: client 208.78.169.234#42517:
> view ext: query (cache) './NS/IN' denied
> Jan 24 04:12:52 imhotep last message repeated 2 times
> Jan 24 05:07:37 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 05:07:37 imhotep last message repeated 2 times
> Jan 24 05:11:35 imhotep named[32762]: client 204.11.51.59#32802: view
> ext: query (cache) './NS/IN' denied
> Jan 24 05:11:35 imhotep last message repeated 2 times
> Jan 24 05:21:36 imhotep named[32762]: client 208.78.169.234#42517:
> view ext: query (cache) './NS/IN' denied
> Jan 24 05:21:37 imhotep last message repeated 2 times
> Jan 24 06:16:06 imhotep named[32762]: client 208.37.177.62#46265: view
> ext: query (cache) './NS/IN' denied
> Jan 24 06:16:06 imhotep last message repeated 2 times
> Jan 24 06:20:19 imhotep named[32762]: client 204.11.51.61#43329: view
> ext: query (cache) './NS/IN' denied
> Jan 24 06:20:19 imhotep last message repeated 2 times
> Jan 24 06:29:37 imhotep named[32762]: client 208.78.169.235#46265:
> view ext: query (cache) './NS/IN' denied
> Jan 24 06:29:37 imhotep last message repeated 2 times
> Jan 24 06:35:11 imhotep named[32762]: client 149.20.52.161#61452: view
> ext: notify question section contains no SOA
> Jan 24 07:23:06 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 07:23:06 imhotep last message repeated 2 times
> Jan 24 07:28:27 imhotep named[32762]: client 204.11.51.60#32831: view
> ext: query (cache) './NS/IN' denied
> Jan 24 07:28:27 imhotep last message repeated 2 times
> Jan 24 07:40:25 imhotep named[32762]: client 208.78.169.234#42517:
> view ext: query (cache) './NS/IN' denied
> Jan 24 07:40:25 imhotep last message repeated 2 times
> Jan 24 08:29:57 imhotep named[32762]: client 208.37.177.61#42517: view
> ext: query (cache) './NS/IN' denied
> Jan 24 08:29:57 imhotep last message repeated 2 times
> Jan 24 08:36:10 imhotep named[32762]: client 204.11.51.61#43330: view
> ext: query (cache) './NS/IN' denied
> Jan 24 08:36:11 imhotep last message repeated 2 times
> Jan 24 08:52:45 imhotep named[32762]: client 208.78.169.235#46265:
> view ext: query (cache) './NS/IN' denied
> Jan 24 08:52:45 imhotep last message repeated 2 times
> Jan 24 08:55:54 imhotep named[32762]: client 149.20.58.131#59151: view
> ext: query (cache) 'localhost/A/IN' denied
> Jan 24 09:36:38 imhotep named[32762]: client 208.37.177.62#46265: view
> ext: query (cache) './NS/IN' denied
> Jan 24 09:36:38 imhotep last message repeated 2 times
> Jan 24 09:43:53 imhotep named[32762]: client 204.11.51.61#43330: view
> ext: query (cache) './NS/IN' denied
> Jan 24 09:43:54 imhotep last message repeated 2 times
> Jan 24 09:53:56 imhotep named[32762]: client 63.217.28.226#53: view
> ext: query (cache) './NS/IN' denied
> Jan 24 10:05:28 imhotep named[32762]: client 208.78.169.234#42517:
> view ext: query (cache) './NS/IN' denied
> Jan 24 10:05:28 imhotep last message repeated 2 times
> Jan 24 10:26:09 imhotep named[32762]: client 206.71.158.30#18971: view
> ext: query (cache) './NS/IN' denied
> Jan 24 10:26:11 imhotep named[32762]: client 206.71.158.30#47622: view
> ext: query (cache) './NS/IN' denied
> Jan 24 10:26:13 imhotep named[32762]: client 206.71.158.30#16077: view
> ext: query (cache) './NS/IN' denied
>
>
>
--
Andrew Fried
andrew.fried at gmail.com
More information about the NANOG
mailing list