Large number of DNS probes in last 24 hours
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've seen a surprising number of attempted recursive DNS requests against unpublished non-recursive DNS servers in the last 24 hours or so, many of them obviously probes of some sort (query for "." IN NS, eg). Is anyone else seeing this? Is it new? Or did some botnet just reach this corner of the IP space? - -- Jim Wise jwise@draga.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iD8DBQFIQDPbq/KRbT0KwbwRAuzVAJ0QRpMw59U7U2qfpEdHOeIt+YVzxgCeLQK4 0HeEYDsVW4VI6ahbjE8xphQ= =QV9h -----END PGP SIGNATURE-----
Jim Wise wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I've seen a surprising number of attempted recursive DNS requests against unpublished non-recursive DNS servers in the last 24 hours or so, many of them obviously probes of some sort (query for "." IN NS, eg).
Is anyone else seeing this? Is it new? Or did some botnet just reach this corner of the IP space?
Yes, no, and yes. I've seen this sort of thing severe enough that I simply took the servers down for a day (yes, really), even considering the severe inconvenience that caused. -- Die Gedanken sind frei
I have seen this as well on my fringe IP-space networks. Just a botnet or two running along the range. A cost of doing business :\ John Menerick http://icehax.us On May 30, 2008, at 10:11 AM, Lynda wrote:
Jim Wise wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've seen a surprising number of attempted recursive DNS requests against unpublished non-recursive DNS servers in the last 24 hours or so, many of them obviously probes of some sort (query for "." IN NS, eg).
Is anyone else seeing this? Is it new? Or did some botnet just reach this corner of the IP space?
Yes, no, and yes. I've seen this sort of thing severe enough that I simply took the servers down for a day (yes, really), even considering the severe inconvenience that caused.
-- Die Gedanken sind frei
Jim Wise wrote:
I've seen a surprising number of attempted recursive DNS requests against unpublished non-recursive DNS servers in the last 24 hours or so, many of them obviously probes of some sort (query for "." IN NS, eg).
Is anyone else seeing this? Is it new? Or did some botnet just reach this corner of the IP space?
I have seen PlanetLab experiments doing this. What are the originating IP addresses? Mikal
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 30 May 2008, Michael Still wrote:
Jim Wise wrote:
I've seen a surprising number of attempted recursive DNS requests against unpublished non-recursive DNS servers in the last 24 hours or so, many of them obviously probes of some sort (query for "." IN NS, eg).
Is anyone else seeing this? Is it new? Or did some botnet just reach this corner of the IP space?
I have seen PlanetLab experiments doing this. What are the originating IP addresses?
Three observed source addresses 208.78.169.237 204.11.51.62 194.199.24.101 Source ports are high and non-repeating. Other than the domain root, A-record queries for "google.com" and for hostnames which appear to be on the same subnet as the querying host. - -- Jim Wise jwise@draga.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iD8DBQFIQNVXq/KRbT0KwbwRAvxDAJ9AuikE/UHx8YvlWIyiL4cdnaVjhwCdGYBI CTEd5J0L0NCeDnpViMxOPmY= =W/wp -----END PGP SIGNATURE-----
Jim Wise wrote:
On Fri, 30 May 2008, Michael Still wrote:
I have seen PlanetLab experiments doing this. What are the originating IP addresses?
Three observed source addresses
208.78.169.237 204.11.51.62 194.199.24.101
Source ports are high and non-repeating. Other than the domain root, A-record queries for "google.com" and for hostnames which appear to be on the same subnet as the querying host.
Hmmm. All the PlanetLab nodes should have valid reverse DNS, which isn't the case here, so I guess it is something more malicious. Mikal
participants (4)
-
Jim Wise
-
John Menerick
-
Lynda
-
Michael Still