I extracted all logs from one of my dns servers that reflected an "'./NS/IN' denied" message, pumped them into a database and ran a few queries. The first query shows the number of "denied" messages on my dns server, sorted by date. The amount of traffic definitely picked up on January 21st: +-------------+-------------+ | date | count(date) | +-------------+-------------+ | 03-Jan-2009 | 20 | | 04-Jan-2009 | 173 | | 05-Jan-2009 | 407 | | 06-Jan-2009 | 6429 | | 07-Jan-2009 | 6391 | | 08-Jan-2009 | 1421 | | 09-Jan-2009 | 398 | | 10-Jan-2009 | 402 | | 11-Jan-2009 | 257 | | 12-Jan-2009 | 174 | | 13-Jan-2009 | 168 | | 14-Jan-2009 | 451 | | 15-Jan-2009 | 959 | | 16-Jan-2009 | 31410 | | 17-Jan-2009 | 79418 | | 18-Jan-2009 | 64788 | | 19-Jan-2009 | 90391 | | 20-Jan-2009 | 71683 | | 21-Jan-2009 | 104413 | | 22-Jan-2009 | 104344 | | 23-Jan-2009 | 105686 | | 24-Jan-2009 | 105853 | | 25-Jan-2009 | 1757 | +-------------+-------------+ This report shows the number of queries grouped by host IP: +-----------------+-------------+ | host | count(host) | +-----------------+-------------+ | 10.168.69.6 | 1059 | | 123.127.121.245 | 528 | | 202.106.83.125 | 530 | | 203.121.29.11 | 426 | | 203.121.29.12 | 402 | | 206.71.158.30 | 45047 | | 209.123.8.64 | 361 | | 209.123.8.99 | 617 | | 211.72.249.201 | 786 | | 211.95.81.245 | 530 | | 213.61.92.192 | 863 | | 216.201.82.19 | 4548 | | 216.201.83.2 | 3411 | | 216.240.131.173 | 1081 | | 219.142.91.125 | 530 | | 220.181.168.251 | 451 | | 58.26.5.43 | 426 | | 58.26.5.44 | 367 | | 60.247.99.245 | 530 | | 61.129.61.245 | 5 | | 63.217.28.226 | 130907 | | 66.230.128.15 | 123551 | | 66.230.160.1 | 176558 | | 66.238.93.161 | 789 | | 69.31.52.214 | 15 | | 69.50.137.175 | 22068 | | 69.50.142.11 | 114048 | | 69.50.142.110 | 15483 | | 74.86.34.144 | 1188 | | 76.9.16.171 | 57275 | | 76.9.31.42 | 72669 | | 91.199.112.18 | 344 | +-----------------+-------------+ And finally, I looked at all log entries reflecting the host ip '206.71.158.30'. The first time my dns server logged that IP address was on January 24th: +-------------+-------------+ | date | count(date) | +-------------+-------------+ | 24-Jan-2009 | 43441 | | 25-Jan-2009 | 1606 | +-------------+-------------+ Finally, when I focused strictly on logs from January 24th, 5 hosts came up: +---------------+-------------+ | host | count(host) | +---------------+-------------+ | 10.168.69.6 | 51 | | 206.71.158.30 | 43441 | | 63.217.28.226 | 57955 | | 66.230.160.1 | 4014 | | 76.9.16.171 | 392 | +---------------+-------------+ A tail end of the logs related to 206.71.158.30 indicate queries originating, on average, about one second apart: | 25-Jan-2009 | 00:22:58.644 | 206.71.158.30 | | 25-Jan-2009 | 00:22:59.056 | 206.71.158.30 | | 25-Jan-2009 | 00:23:00.565 | 206.71.158.30 | | 25-Jan-2009 | 00:23:00.643 | 206.71.158.30 | | 25-Jan-2009 | 00:23:00.949 | 206.71.158.30 | | 25-Jan-2009 | 00:23:02.640 | 206.71.158.30 | | 25-Jan-2009 | 00:23:04.330 | 206.71.158.30 | | 25-Jan-2009 | 00:23:04.639 | 206.71.158.30 | | 25-Jan-2009 | 00:23:05.283 | 206.71.158.30 | | 25-Jan-2009 | 00:23:06.646 | 206.71.158.30 | | 25-Jan-2009 | 00:23:06.792 | 206.71.158.30 | | 25-Jan-2009 | 00:23:07.176 | 206.71.158.30 | | 25-Jan-2009 | 00:23:08.653 | 206.71.158.30 | | 25-Jan-2009 | 00:23:10.556 | 206.71.158.30 | | 25-Jan-2009 | 00:23:10.653 | 206.71.158.30 | | 25-Jan-2009 | 00:23:11.509 | 206.71.158.30 | | 25-Jan-2009 | 00:23:12.652 | 206.71.158.30 | | 25-Jan-2009 | 00:23:13.018 | 206.71.158.30 | | 25-Jan-2009 | 00:23:13.402 | 206.71.158.30 | | 25-Jan-2009 | 00:23:14.656 | 206.71.158.30 | | 25-Jan-2009 | 00:23:16.665 | 206.71.158.30 | | 25-Jan-2009 | 00:23:16.783 | 206.71.158.30 | | 25-Jan-2009 | 00:23:17.736 | 206.71.158.30 | | 25-Jan-2009 | 00:23:18.666 | 206.71.158.30 | | 25-Jan-2009 | 00:23:19.245 | 206.71.158.30 | | 25-Jan-2009 | 00:23:19.629 | 206.71.158.30 | | 25-Jan-2009 | 00:23:20.662 | 206.71.158.30 | | 25-Jan-2009 | 00:23:22.658 | 206.71.158.30 | | 25-Jan-2009 | 00:23:23.010 | 206.71.158.30 | | 25-Jan-2009 | 00:23:23.963 | 206.71.158.30 | | 25-Jan-2009 | 00:23:24.665 | 206.71.158.30 | | 25-Jan-2009 | 00:23:25.472 | 206.71.158.30 | | 25-Jan-2009 | 00:23:25.856 | 206.71.158.30 | +-------------+--------------+---------------+ Andrew Brian Keefer wrote:
On Jan 23, 2009, at 12:20 PM, Luke Sheldrick wrote:
Looks to me like the target has moved, anyone else seeing similar?
It's switched again. The new target is 206.71.158.30 .
Over night it cycled through several different IPs (testing the waters?), and finally started on this one around 10:26 Pacific time this morning.
Timeline below.
-- bk
Jan 23 23:24:47 imhotep named[32762]: client 63.217.28.226#53: view ext: query (cache) './NS/IN' denied Jan 24 00:51:11 imhotep named[32762]: client 208.78.169.236#33027: view ext: query (cache) './NS/IN' denied Jan 24 00:51:11 imhotep last message repeated 2 times Jan 24 00:51:11 imhotep named[32762]: client 204.11.51.60#32831: view ext: query (cache) './NS/IN' denied Jan 24 00:51:11 imhotep last message repeated 2 times Jan 24 00:51:30 imhotep named[32762]: client 208.37.177.61#42517: view ext: query (cache) './NS/IN' denied Jan 24 00:51:30 imhotep last message repeated 2 times Jan 24 01:54:44 imhotep named[32762]: client 208.37.177.61#42517: view ext: query (cache) './NS/IN' denied Jan 24 01:54:44 imhotep last message repeated 2 times Jan 24 01:55:44 imhotep named[32762]: client 204.11.51.60#32831: view ext: query (cache) './NS/IN' denied Jan 24 01:55:44 imhotep last message repeated 2 times Jan 24 01:57:46 imhotep named[32762]: client 208.78.169.235#46265: view ext: query (cache) './NS/IN' denied Jan 24 01:57:46 imhotep last message repeated 2 times Jan 24 02:58:29 imhotep named[32762]: client 208.37.177.62#46265: view ext: query (cache) './NS/IN' denied Jan 24 02:58:30 imhotep last message repeated 2 times Jan 24 03:00:34 imhotep named[32762]: client 204.11.51.60#32831: view ext: query (cache) './NS/IN' denied Jan 24 03:00:35 imhotep last message repeated 2 times Jan 24 03:05:05 imhotep named[32762]: client 208.78.169.236#33027: view ext: query (cache) './NS/IN' denied Jan 24 03:05:05 imhotep last message repeated 2 times Jan 24 03:07:49 imhotep named[32762]: client 63.217.28.226#53: view ext: query (cache) './NS/IN' denied Jan 24 04:02:38 imhotep named[32762]: client 208.37.177.61#42517: view ext: query (cache) './NS/IN' denied Jan 24 04:02:38 imhotep last message repeated 2 times Jan 24 04:05:43 imhotep named[32762]: client 204.11.51.59#32802: view ext: query (cache) './NS/IN' denied Jan 24 04:05:43 imhotep last message repeated 2 times Jan 24 04:12:52 imhotep named[32762]: client 208.78.169.234#42517: view ext: query (cache) './NS/IN' denied Jan 24 04:12:52 imhotep last message repeated 2 times Jan 24 05:07:37 imhotep named[32762]: client 208.37.177.61#42517: view ext: query (cache) './NS/IN' denied Jan 24 05:07:37 imhotep last message repeated 2 times Jan 24 05:11:35 imhotep named[32762]: client 204.11.51.59#32802: view ext: query (cache) './NS/IN' denied Jan 24 05:11:35 imhotep last message repeated 2 times Jan 24 05:21:36 imhotep named[32762]: client 208.78.169.234#42517: view ext: query (cache) './NS/IN' denied Jan 24 05:21:37 imhotep last message repeated 2 times Jan 24 06:16:06 imhotep named[32762]: client 208.37.177.62#46265: view ext: query (cache) './NS/IN' denied Jan 24 06:16:06 imhotep last message repeated 2 times Jan 24 06:20:19 imhotep named[32762]: client 204.11.51.61#43329: view ext: query (cache) './NS/IN' denied Jan 24 06:20:19 imhotep last message repeated 2 times Jan 24 06:29:37 imhotep named[32762]: client 208.78.169.235#46265: view ext: query (cache) './NS/IN' denied Jan 24 06:29:37 imhotep last message repeated 2 times Jan 24 06:35:11 imhotep named[32762]: client 149.20.52.161#61452: view ext: notify question section contains no SOA Jan 24 07:23:06 imhotep named[32762]: client 208.37.177.61#42517: view ext: query (cache) './NS/IN' denied Jan 24 07:23:06 imhotep last message repeated 2 times Jan 24 07:28:27 imhotep named[32762]: client 204.11.51.60#32831: view ext: query (cache) './NS/IN' denied Jan 24 07:28:27 imhotep last message repeated 2 times Jan 24 07:40:25 imhotep named[32762]: client 208.78.169.234#42517: view ext: query (cache) './NS/IN' denied Jan 24 07:40:25 imhotep last message repeated 2 times Jan 24 08:29:57 imhotep named[32762]: client 208.37.177.61#42517: view ext: query (cache) './NS/IN' denied Jan 24 08:29:57 imhotep last message repeated 2 times Jan 24 08:36:10 imhotep named[32762]: client 204.11.51.61#43330: view ext: query (cache) './NS/IN' denied Jan 24 08:36:11 imhotep last message repeated 2 times Jan 24 08:52:45 imhotep named[32762]: client 208.78.169.235#46265: view ext: query (cache) './NS/IN' denied Jan 24 08:52:45 imhotep last message repeated 2 times Jan 24 08:55:54 imhotep named[32762]: client 149.20.58.131#59151: view ext: query (cache) 'localhost/A/IN' denied Jan 24 09:36:38 imhotep named[32762]: client 208.37.177.62#46265: view ext: query (cache) './NS/IN' denied Jan 24 09:36:38 imhotep last message repeated 2 times Jan 24 09:43:53 imhotep named[32762]: client 204.11.51.61#43330: view ext: query (cache) './NS/IN' denied Jan 24 09:43:54 imhotep last message repeated 2 times Jan 24 09:53:56 imhotep named[32762]: client 63.217.28.226#53: view ext: query (cache) './NS/IN' denied Jan 24 10:05:28 imhotep named[32762]: client 208.78.169.234#42517: view ext: query (cache) './NS/IN' denied Jan 24 10:05:28 imhotep last message repeated 2 times Jan 24 10:26:09 imhotep named[32762]: client 206.71.158.30#18971: view ext: query (cache) './NS/IN' denied Jan 24 10:26:11 imhotep named[32762]: client 206.71.158.30#47622: view ext: query (cache) './NS/IN' denied Jan 24 10:26:13 imhotep named[32762]: client 206.71.158.30#16077: view ext: query (cache) './NS/IN' denied
-- Andrew Fried andrew.fried@gmail.com