> From: Daniel Stirnimann <[email protected]> > One error I made is that there are lots of different IP addresses > sending these queries. The IP address 203.45.217.122 which I referred to > in my original post sends about 50 qps but there are roughly 5800 other > IPs sending this traffic as well. Some only one query within 15 minute > but most something between 1 qps and 40 qps.
That's interesting. > The few IP addresses which send more then my threshold > (response-per-second 20) are rate-limited. That's a relief. If I were eager to repeat the very popular error of confusing guesses with knowledge and facts, I might expound on botnets and spam and claim that the increase in spam backscatter in my personal mailbox and the ~7% increase in spam reported to DCC are both real and related to what you are seeing. http://www.rhyolite.com/dcc/graphs/?BIG=1&end=1363032000&resol=1m http://www.rhyolite.com/dcc/graphs/?resol=1w&end=1363032000&BIG=1 http://www.rhyolite.com/dcc/graphs/?resol=1w&end=1361822400&BIG=1 However, I've learned from many years of watching others make authoritative sounding declarations about the what, where, why, and how of network evil, and be immediately or sooner shown to be full of negative clues ("facts" that are false). Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
