DNS traffic sourced from my address space to myself.
Howdy, Recently I have been noticing a good amount of totally bogus DNS traffic coming in on my transit links via my own IP addresses (spoofed). SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.145.161(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.74(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.70(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.57(0) -> x.x.145.235(0), 1 packet There are multiple different instances of this traffic, the pattern seems to be: -The source is always 'my own IPs' and obviously spoofed. -It's DNS traffic -The "source addresses" all seem to be randomly chosen from the same /23 as the destination address (they cycle through randomly). Has anyone else noticed anything similar coming in on their transit links or am I just lucky? Normally my iACL catches this but I've just been noticing more of it lately. -Drew
On Wed, 7 Jul 2010, Drew Weaver wrote:
Recently I have been noticing a good amount of totally bogus DNS traffic coming in on my transit links via my own IP addresses (spoofed).
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.145.161(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.74(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.70(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.57(0) -> x.x.145.235(0), 1 packet
There are multiple different instances of this traffic, the pattern seems to be:
-The source is always 'my own IPs' and obviously spoofed. -It's DNS traffic -The "source addresses" all seem to be randomly chosen from the same /23 as the destination address (they cycle through randomly).
Has anyone else noticed anything similar coming in on their transit links or am I just lucky?
I posted the same thing June 16, 2010. Search for Subject: Todd Underwood was a little late If you can capture some of the traffic and see what the DNS requests are, that would let you see if its the same sort of issue I was seeing or something different. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Wed, Jul 07, 2010 at 08:07:07AM -0400, Drew Weaver wrote:
Howdy,
Recently I have been noticing a good amount of totally bogus DNS traffic coming in on my transit links via my own IP addresses (spoofed).
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.145.161(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.74(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.70(0) -> x.x.145.235(0), 1 packet SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.57(0) -> x.x.145.235(0), 1 packet
There are multiple different instances of this traffic, the pattern seems to be:
-The source is always 'my own IPs' and obviously spoofed. -It's DNS traffic -The "source addresses" all seem to be randomly chosen from the same /23 as the destination address (they cycle through randomly).
Has anyone else noticed anything similar coming in on their transit links or am I just lucky?
Normally my iACL catches this but I've just been noticing more of it lately.
-Drew
Yeah... I've seen this type of behaviour w/ folks picking random source addresses from the IPv6 /32... Sure wish I could announce something smaller. --bill
participants (3)
-
bmanning@vacation.karoshi.com -
Drew Weaver -
Jon Lewis