Doug Barton wrote:
On 02/18/2014 07:08 PM, Joe Maimon wrote:
Thousand of queries with thousands of source ip addresses.
Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses?
Doug
Thousands of queries _from_ thousands of source ip addresses likely they are spoofed this is an example of what I am seeing root@nameserver3:~# baddnsqueries-srcs 9aq.com | wc -l 1337 root@nameserver3:~# grep 9aq.com /var/log/named/queries | wc -l 1415 root@nameserver3:~# baddnsqueries-srcs 9aq.com | sort -rn -k2 | head -n5 99.86.116.243 1 99.219.232.72 1 99.184.19.178 1 99.155.180.193 1 99.129.26.85 1 root@nameserver3:~# grep 9aq.com /var/log/named/queries | head -n5 18-Feb-2014 22:42:30.754 queries: info: client 93.209.49.151#59706: query: abpdefguvwxym.dlq1.9aq.com IN A + (66.199.132.5) 18-Feb-2014 22:42:30.787 queries: info: client 110.158.165.119#32438: query: ocpkxdfupiy.dlq1.9aq.com IN A + (66.199.132.7) 18-Feb-2014 22:42:31.382 queries: info: client 84.14.84.205#63722: query: abpqeftuiwklz.dlq1.9aq.com IN A + (66.199.132.7) 18-Feb-2014 22:42:31.649 queries: info: client 45.73.65.145#38948: query: pvtlirr.dlq1.9aq.com IN A + (66.199.132.7) 18-Feb-2014 22:42:32.679 queries: info: client 9.121.56.232#18395: query: amo.dlq1.9aq.com IN A + (66.199.132.5) root@nameserver3:~# cat /usr/local/sbin/baddnsqueries-srcs #!/bin/bash if [[ "$1" == "" ]]; then exit 0; fi grep -E "$1" /var/log/named/queries | cut -f6 -d' ' | cut -f1 -d# | sort | uniq |\ while read INPUT; do if [[ "$INPUT" == "" ]]; then continue; fi echo $INPUT `grep $INPUT /var/log/named/queries | grep -c -E "$1"`; done