A few observations for this Friday. ------ We where finally able to register our NS IPv6 with NetSol and I just noticed IPv6 DNS Reflection Attempts (*) starting a few days after. * By attempts, they could also be probes from projects, but they need to be pretty aggressive to end up listed here. Examples with logs: Toward HE Tunnels 2001:470:6d:5b8::12 1138 queries: . IN ANY +ED (<HoneyPot IPv6>) Toward RackSpace 2001:4801:7821:77:7c1b:4e53:ff10:4961 2191 queries: . IN ANY +ED (<HoneyPot IPv6>) There is also 2 more to HE Tunnels and 1 to OVH, but we only archive a few GB of query logs. Having none of the volume, I wonder how bad would it be to ACL a source IPv6 (/56 to /32) on most CPE, local & regional distribution routers. ----- On another note, the same honeypot was receiving a constant stream of 1Mbps in reflection DNS queries, from the 22th at 13h EST until the 28th at 5h30m EST. My guess is that the CC renew transaction didn't pass or the CC finally returned as stolen. ----- This morning doc.gov is very popular on the pot, about 10k bytes worth of DNSSEC KEY and SIG. And they're just doing from 25 to 50 queries then stopping for 10s to a minute. I have a good idea why. -- ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443