BCP38, DNS Reflection and IPv6

Alain Hebert ahebert at pubnix.net
Fri Mar 7 13:36:13 UTC 2014


    A few observations for this Friday.

------

    We where finally able to register our NS IPv6 with NetSol and I just
noticed IPv6 DNS Reflection Attempts (*) starting a few days after.

* By attempts, they could also be probes from projects, but they need to
be pretty aggressive to end up listed here.

Examples with logs:

    Toward HE Tunnels

2001:470:6d:5b8::12
        1138 queries: . IN ANY +ED (<HoneyPot IPv6>)

    Toward RackSpace

2001:4801:7821:77:7c1b:4e53:ff10:4961
        2191 queries: . IN ANY +ED (<HoneyPot IPv6>)

    There is also 2 more to HE Tunnels and 1 to OVH, but we only archive
a few GB of query logs.

    Having none of the volume, I wonder how bad would it be to ACL a
source IPv6 (/56 to /32) on most CPE, local & regional distribution routers.

-----

    On another note, the same honeypot was receiving a constant stream
of 1Mbps in reflection DNS queries, from the 22th at 13h EST until the
28th at 5h30m EST.

    My guess is that the CC renew transaction didn't pass or the CC
finally returned as stolen.

-----

    This morning doc.gov is very popular on the pot, about 10k bytes
worth of DNSSEC KEY and SIG.

    And they're just doing from 25 to 50 queries then stopping for 10s
to a minute.

    I have a good idea why.

-- 
-----
Alain Hebert                                ahebert at pubnix.net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443





More information about the NANOG mailing list