One of our IP addresses is being probed by up to 8 of the 13 root dns servers every 15 seconds. I'm looking for input on how to contact the admins for the servers or perhaps a way to figure out if perhaps someone is spoofing the affected customer IP address, causing the root servers to send the following: sh mls netflow ip destination 74.1.32.205 /32 module 2 Displaying Netflow entries in module 2 DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr ----------------------------------------------------------------------------- Pkts Bytes Age LastSeen Attributes --------------------------------------------------- 74.1.32.205 193.0.14.129 udp :dns :1039 Fa2/11 :0x0 0 0 1 22:49:03 L3 - Dynamic 74.1.32.205 202.12.27.33 udp :dns :1039 Fa2/11 :0x0 0 0 2 22:49:03 L3 - Dynamic 74.1.32.205 192.36.148.17 udp :dns :1039 Fa2/11 :0x0 0 0 2 22:49:03 L3 - Dynamic Is it practical to attempt to work the issue with the root server admins or is it quite likely this is spoofing and there's no hope to track this down? Thanks, Kris
On Thu, 16 Jul 2009 15:56:29 -0700 "Pederson, Krishna" <Pederson@covad.com> wrote:
One of our IP addresses is being probed by up to 8 of the 13 root dns servers every 15 seconds. I'm looking for input on how to contact the admins for the servers or perhaps a way to figure out if perhaps someone is spoofing the affected customer IP address, causing the root servers to send the following:
Hi Krishna, You may want to make sure a second set of eyes confirms that these are not real responses to real queries from 74.1.32.205. If you're certain there are no outgoing queries that solicit these messages, how about getting a peek inside those packets? If you can do that, you should be able to get a better idea of what may be happening. It is somewhat peculiar that the destination port is 1039 in the 3 flow records you've shown and that you're only seeing packets from 8 of the 13 root addresses. Its a clue, but inconclusive. It seems like it might be legitimate traffic from a resolver that is not doing source port randomization. Being that its only every 15 seconds that would seem too slow for an attack against 74.1.32.205, poisoning or otherwise. Could be backscatter. I can't speak for the root ops, but I think they would prefer you perform a bit more investigation if you can. John
On Thu, Jul 16, 2009 at 03:56:29PM -0700, Pederson, Krishna wrote:
One of our IP addresses is being probed by up to 8 of the 13 root dns servers every 15 seconds. I'm looking for input on how to contact the admins for the servers or perhaps a way to figure out if perhaps someone is spoofing the affected customer IP address, causing the root servers to send the following:
sh mls netflow ip destination 74.1.32.205 /32 module 2 Displaying Netflow entries in module 2 DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr ----------------------------------------------------------------------------- Pkts Bytes Age LastSeen Attributes --------------------------------------------------- 74.1.32.205 193.0.14.129 udp :dns :1039 Fa2/11 :0x0 0 0 1 22:49:03 L3 - Dynamic 74.1.32.205 202.12.27.33 udp :dns :1039 Fa2/11 :0x0 0 0 2 22:49:03 L3 - Dynamic 74.1.32.205 192.36.148.17 udp :dns :1039 Fa2/11 :0x0 0 0 2 22:49:03 L3 - Dynamic
Is it practical to attempt to work the issue with the root server admins or is it quite likely this is spoofing and there's no hope to track this down?
Thanks, Kris
i feel confident that you have received one or more private replies, but since this is a recurent complaint, it may be worth the post. Root nameservers do not gratuitously send traffic. They respond to queries they receive. based on the information above, 74.1.32.205 has sent a query to the roots and they are responding as they should. if this is unwanted/undesired, you need to look at the source of the query, not the site responding to the request for information. the root server ops will have no way to evaluate if the packets they receive are spoofed. one way to contact the root server operators is via email: comments@root-servers.org --bill
participants (3)
-
bmanning@vacation.karoshi.com
-
John Kristoff
-
Pederson, Krishna