On Tue, 2 Apr 2013, Dobbins, Roland wrote:
On Apr 2, 2013, at 8:30 AM, Jon Lewis wrote:
They look legitimate and too small in number to be any sort of DoS if that's
what you're getting at.
I was just wondering if it seems likely that they're synthetically
generated for some purpose (not necessarily DDoS), or if they appear to
be legitimate queries, as far as can be determined. It sounds as if the
latter is the case . . .
Some do fail to be answered. i.e.
20:56:59.948499 IP (tos 0x0, ttl 115, id 12394, offset 0, flags [none],
proto: UDP (17), length: 540) 50.76.25.65.5455 > 69.28.95.83.53: [udp sum
ok] 17648 [b2&3=0x200] A? 125.237.120.64.dnsbl.njabl.org. (512)
0x0000: 4500 021c 306a 0000 7311 256b 324c 1941 E...0j..s.%k2L.A
0x0010: 451c 5f53 154f 0035 0208 81e5 44f0 0200 E._S.O.5....D...
0x0020: 0001 0000 0000 0000 0331 3235 0332 3337 .........125.237
0x0030: 0331 3230 0236 3405 646e 7362 6c05 6e6a .120.64.dnsbl.nj
0x0040: 6162 6c03 6f72 6700 0001 0001 0000 0000 abl.org.........
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0210: 0000 0000 0000 0000 0000 0000 ............
20:56:59.948521 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 76) 69.28.95.83.53 > 50.76.25.65.5455: [udp sum ok]
17648 NotImp- q: A? 125.237.120.64.dnsbl.njabl.org. 0/0/0 (48)
0x0000: 4500 004c 0000 4000 4011 4aa5 451c 5f53 E..L..@[email protected]._S
0x0010: 324c 1941 0035 154f 0038 0781 44f0 8004 2L.A.5.O.8..D...
0x0020: 0001 0000 0000 0000 0331 3235 0332 3337 .........125.237
0x0030: 0331 3230 0236 3405 646e 7362 6c05 6e6a .120.64.dnsbl.nj
0x0040: 6162 6c03 6f72 6700 0001 0001 abl.org.....
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
