They are probably spoofed IPs. So those are the target IP IPs of a DDoS What king of amplification factor does your DNS server have? I bet with the changes you’ve made, it’s super high. People are looking for DNS servers like that. Tom
On Dec 3, 2023, at 10:49 AM, John Levine <johnl@iecc.com> wrote:
At contacts.abuse.net, I have a little stunt DNS server that provides domain contact info, e.g.:
$ host -t txt comcast.net.contacts.abuse.net comcast.net.contacts.abuse.net descriptive text "abuse@comcast.net"
$ host -t hinfo comcast.net.contacts.abuse.net comcast.net.contacts.abuse.net host information "lookup" "comcast.net"
Every once in a while someone decides to look up every domain in the world and DoS'es it until I update my packet filters. This week it's been this set of IPs that belong to Google. I don't think they're 8.8.8.8. Any idea what they are? Random Google Cloud customers? A secret DNS mapping project?
172.253.1.133 172.253.206.36 172.253.1.130 172.253.206.37 172.253.13.196 172.253.255.36 172.253.13.197 172.253.1.131 172.253.255.35 172.253.255.37 172.253.1.132 172.253.13.193 172.253.1.129 172.253.255.33 172.253.206.35 172.253.255.34 172.253.206.33 172.253.206.34 172.253.13.194 172.253.13.195 172.71.125.63 172.71.117.60 172.71.133.51
R's, John