this was sent personally, but i'm responding to the list:
I noticed ~550 addresses from several /16's the I manage on the list. The majority of the addresses were commercial broadband customers that have static IP address assignments and appear to be running linksys/netgear/smc broadband routers doing NAT (likely running internal DHCP servers).
a common enough configuration.
I believe I understand what's happening, but how can I go about fixing this? Is this Win2k/XP's fault, Linksys' fault, my fault....? Real question: How do I go about preventing customer Windows machines behind customer nat boxes from DDoSing root servers with Windoze "Dynamic Updates"? You mentioned capturing this request, but I'm (perhaps blindly) missing the "how" part of that concept.
if rfc1918 addressing is in use inside your AS (a foregone conclusion), then it's your responsibility to install "covering routes" at the IP layer so that any traffic with that destination will die at your border. if you can also run URPF on your border routers so that packets with that _source_ will die at your border, so much the better. (i mention this not because it answers your question but because our flow stats here tell me that most other AS's don't handle their own rfc1918 traffic at their own border.) since rfc1918 addressing is in use inside your AS, i recommend that you install a route for 192.175.48.0/24, put some kind of dns servers on the .1, .6, and .42 addresses in that block, and watch the syslog file, and have your customer service (or abuse desk) folks work on educating your customers. i apologize for indicating that an AS owner ought to have been capturing DNS updates for rfc1918 PTR's, since up until we put the servers into an anycast block, this wasn't possible. now that it's possible, you should all start doing it.
BTW, what was the time frame on that list? Hours, days, weeks?
four hours.