Re: Large number of DNS probes in last 24 hours

• From: Michael Still
• Date: Mon Jun 02 18:37:10 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

Jim Wise wrote:
> On Fri, 30 May 2008, Michael Still wrote:

>> I have seen PlanetLab experiments doing this. What are the originating
>> IP addresses?
> 
> Three observed source addresses
> 
> 	208.78.169.237
> 	204.11.51.62
> 	194.199.24.101
> 
> Source ports are high and non-repeating.  Other than the domain root, 
> A-record queries for "google.com" and for hostnames which appear to be 
> on the same subnet as the querying host.

Hmmm. All the PlanetLab nodes should have valid reverse DNS, which isn't
the case here, so I guess it is something more malicious.

Mikal

• Prev by Date: Re: NANOG NYC Event
• Next by Date: Network trend and right planning
• Date Index
• Thread Index
• Author Index
• Historical