On 1/19/06, Brian Collins <[EMAIL PROTECTED]> wrote: > Good day folks. This morning an admin asked us to check on a large amount > of traffic targeting several DNS servers in our network (both our own DNS > servers and customer co-located DNS servers). In looking at the traffic I > see that the source is making several queries a second for DNS root. I have > included a small sample from tcpdump below. Not sure what the motive is > here. The TTLs are all 235. The random source ports makes me think > possibly spoofed traffic. I can put packet dumps up on a website in libpcap > format if anyone is interested. They are still going on as I type this. > > Thanks for any insight you can lend. > > > 08:44:31.681706 IP 207.210.68.202.18257 > 216.130.152.71.53: 7127+ [1au] > ANY ANY? . (28) > 08:44:31.935719 IP 207.210.68.202.17460 > 216.130.152.71.53: 16133+ [1au] > ANY ANY? . (28)
It could be a DoS attack on 207.210.68.202 from an unkown attacker, using your DNS servers. The query for the root servers generates a nice response which can be used to flood the target (small query, big response). As you know what the TTL of incoming packets is (235), you can do a traceroute to this IP address from your network and see what number of hops you will get - that will help you to determine if the packet is spoofed or not. Cheers, Bojan
