On Wed, 2006-01-18 at 09:37 -0500, Brian Collins wrote: > Good day folks. This morning an admin asked us to check on a large amount > of traffic targeting several DNS servers in our network (both our own DNS > servers and customer co-located DNS servers). In looking at the traffic I > see that the source is making several queries a second for DNS root. I have > included a small sample from tcpdump below. Not sure what the motive is > here. The TTLs are all 235. The random source ports makes me think > possibly spoofed traffic. I can put packet dumps up on a website in libpcap > format if anyone is interested. They are still going on as I type this.
I've seen similar about a year ago where a Windows server has gone into a spin firing DNS queries at its upstream forwarder at high rates - like thousands of requests per second hitting an ISP DNS server. It has also been noticed by other people, such as this recent post on the BIND-USERS mailing list: http://marc.theaimsgroup.com/?l=bind-users&m=113778239231495&w=2 Really the only resolution was to firewall the perpetrator, then try to contact them and explain the situation in the hope that they will understand and fix their server. -- Kerry Thompson http://www.crypt.gen.nz
