North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Large number of DNS probes in last 24 hours

  • From: Jim Wise
  • Date: Sat May 31 00:34:46 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 30 May 2008, Michael Still wrote:

>Jim Wise wrote:
>> I've seen a surprising number of attempted recursive DNS requests 
>> against unpublished non-recursive DNS servers in the last 24 hours or 
>> so, many of them obviously probes of some sort (query for "." IN NS, 
>> eg).
>> 
>> Is anyone else seeing this?  Is it new?  Or did some botnet just reach 
>> this corner of the IP space?
>
>I have seen PlanetLab experiments doing this. What are the originating
>IP addresses?

Three observed source addresses

	208.78.169.237
	204.11.51.62
	194.199.24.101

Source ports are high and non-repeating.  Other than the domain root, 
A-record queries for "google.com" and for hostnames which appear to be 
on the same subnet as the querying host.

- -- 
				Jim Wise
				[email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iD8DBQFIQNVXq/KRbT0KwbwRAvxDAJ9AuikE/UHx8YvlWIyiL4cdnaVjhwCdGYBI
CTEd5J0L0NCeDnpViMxOPmY=
=W/wp
-----END PGP SIGNATURE-----