North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Odd DNS Traffic

  • From: Support Team
  • Date: Wed Mar 26 16:04:46 2003

First I would like to note I am new to the list and group.  It's nice to
be here.

Second, since Monday, March 24th at approx 1am we have been suffering
from "odd" DNS traffic to our two primary DNS servers.  The odd traffic
has increased our bandwidth utilization by about 20 Mbps, which is
obviously putting a hurting on our network and our DNS servers.

I know this must also be affecting other networks, and if anything the
root servers.  If anyone has any suggestions, etc, they would be much
appreciated.

Thank you,
Michael Mannella
Support Team
Synergy Networks, Inc.

Here are the symptoms:
============================================

The odd traffic started with the root servers, namely
(a-m).gtld-servers.net .  Most of the traffic is still coming from them,
but other servers have also started sending us this odd traffic.

We have 3 dns servers, only two are being affected, they are our Primary
and Secondary servers that are listed with Network Solutions.  The third
server (that is not being affected) is not listed with NetSol and has no
DNS records setup in it.  It is strictly being used for lookups.

The odd traffic is listed as a "DNS Spoof attempt" on our firewall.

The odd traffic looks like this:

Rcv   192.48.79.30    0cbb  R Q [0084 A     NOERROR]
(8)�ҵĵ绰(3)COM(0)
UDP response info at 01ADC8BC
  Socket = 380
  Remote addr 192.48.79.30, port 53
  Time Query=147367, Queued=0, Expire=0
  Buf length = 0x0200 (512)
  Msg length = 0x010e (270)
  Message:
    XID       0x0cbb
    Flags     0x8400
        QR        1 (response)
        OPCODE    0 (QUERY)
        AA        1
        TC        0
        RD        0
        RA        0
        Z         0
        RCODE     0 (NOERROR)
    QCOUNT    0x1
    ACOUNT    0x1
    NSCOUNT   0xd
    ARCOUNT   0x0
    Offset = 0x000c, RR count = 0
    Name      "(8)�ҵĵ绰(3)COM(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
    Offset = 0x001e, RR count = 0
    Name      "[C00C](8)�ҵĵ绰(3)COM(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    300
      DLEN   4
      DATA   198.41.1.35
    AUTHORITY SECTION:
    Offset = 0x002e, RR count = 0
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   20
      DATA   (1)g(12)gtld-servers(3)net(0)
    Offset = 0x004e, RR count = 1
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)h[C03C](12)gtld-servers(3)net(0)
    Offset = 0x005e, RR count = 2
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)d[C03C](12)gtld-servers(3)net(0)
    Offset = 0x006e, RR count = 3
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)j[C03C](12)gtld-servers(3)net(0)
    Offset = 0x007e, RR count = 4
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)i[C03C](12)gtld-servers(3)net(0)
    Offset = 0x008e, RR count = 5
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)l[C03C](12)gtld-servers(3)net(0)
    Offset = 0x009e, RR count = 6
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)b[C03C](12)gtld-servers(3)net(0)
    Offset = 0x00ae, RR count = 7
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)e[C03C](12)gtld-servers(3)net(0)
    Offset = 0x00be, RR count = 8
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)a[C03C](12)gtld-servers(3)net(0)
    Offset = 0x00ce, RR count = 9
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)k[C03C](12)gtld-servers(3)net(0)
    Offset = 0x00de, RR count = 10
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)f[C03C](12)gtld-servers(3)net(0)
    Offset = 0x00ee, RR count = 11
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)c[C03C](12)gtld-servers(3)net(0)
    Offset = 0x00fe, RR count = 12
    Name      "[C015](3)COM(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    172800
      DLEN   4
      DATA   (1)m[C03C](12)gtld-servers(3)net(0)
    ADDITIONAL SECTION:

The DNS server encountered an invalid domain name in a packet from
192.48.79.30.  The packet is
rejected.