Are there any other ISP's who are experiencing DNS floods, specifically I am looking for traffic destined for (or coming from) the following IPs
199.108.32.203 216.15.178.201 129.180.11.17 216.41.23.68 208.235.124.20 203.251.77.1
It appears someone is running a script that is using these nameservers, as well as the name servers of other educational facilities, to do a lookup on mulitple servers in the amplitude of 3-4 a second. This activity has been happening for the past 3 weeks, we have null routed this traffic on our backbone, but it still shows up in Cache flow. This traffic actually saturated our customer's pipe as well as increased the load on our backbone router. If anyone has seen anything at all like that, (specifically people from UU.net or AT&T Worldnet) please lets band together and find the person doing this. Thanks Jamie D. | noc@cerf.net AT&T CERFnet| Network Analyst 1-888-237-3638 opt 2 opt 2
Resolved 199.108.32.203 to inspire3d.com Resolved 216.15.178.201 to Lets.lepak.net Resolved 129.180.11.17 to turing.une.edu.au Unable to resolve 216.41.23.68 Netname: OEMGREEN Netblock: 216.41.0.0 - 216.41.127.255 Maintainer: DHHC Resolved 208.235.124.20 to cardassian.keysdigital.com Unable to resolve 203.251.77 inetnum: 203.251.0.0 - 203.251.127.255 netname: KORNET descr: Korea Telecom "Jamie D." wrote:
Are there any other ISP's who are experiencing DNS floods, specifically I am looking for traffic destined for (or coming from) the following IPs
199.108.32.203 216.15.178.201 129.180.11.17 216.41.23.68 208.235.124.20 203.251.77.1
It appears someone is running a script that is using these nameservers, as well as the name servers of other educational facilities, to do a lookup on mulitple servers in the amplitude of 3-4 a second. This activity has been happening for the past 3 weeks, we have null routed this traffic on our backbone, but it still shows up in Cache flow.
This traffic actually saturated our customer's pipe as well as increased the load on our backbone router.
If anyone has seen anything at all like that, (specifically people from UU.net or AT&T Worldnet) please lets band together and find the person doing this.
Thanks Jamie D. | noc@cerf.net AT&T CERFnet| Network Analyst 1-888-237-3638 opt 2 opt 2
Hi Jamie, We are seeing it as well (same spoofed addresses). In our case, we tracked it to NAPNET @ AADS-NAP. Folks from NAPNET are looking at it but we have not heard back from them. - Vui
Are there any other ISP's who are experiencing DNS floods, specifically I am looking for traffic destined for (or coming from) the following IPs
199.108.32.203 216.15.178.201 129.180.11.17 216.41.23.68 208.235.124.20 203.251.77.1
It appears someone is running a script that is using these nameservers, as well as the name servers of other educational facilities, to do a lookup on mulitple servers in the amplitude of 3-4 a second. This activity has been happening for the past 3 weeks, we have null routed this traffic on our backbone, but it still shows up in Cache flow.
This traffic actually saturated our customer's pipe as well as increased the load on our backbone router.
If anyone has seen anything at all like that, (specifically people from UU.net or AT&T Worldnet) please lets band together and find the person doing this.
Thanks Jamie D. | noc@cerf.net AT&T CERFnet| Network Analyst 1-888-237-3638 opt 2 opt 2
======================================================================== Vui Q. Le Phone: (510) 495-2204 Energy Sciences Network (ESnet) Fax : (510) 486-6712 Network Engineering Services Group Email: vuile@es.net Lawrence Berkeley National Laboratory URL : http://www.es.net/ ========================================================================
participants (3)
-
Henry R. Linneweh
-
Jamie D.
-
Vui Le