In message <[email protected]>, Jon Lewis write s: > I just took a closer look at something odd I'd noticed several days ago. > One of our DNS servers was sending crazy amounts of ARP requests for IPs > in the /24 its main IP is in. What I've found is we're getting hit with > DNS requests that look like they're from "typical internet traffic for > someone in China" hitting this DNS server from IPs in its /24 which are > currently not in use (at least on our local network). It would appear > someone in China is using our IP space, presumably behind a NAT router, > and they're leaking some traffic non-NAT'd.
Why was this traffic hitting your DNS server in the first place? It should have been rejected by the ingress filters preventing spoofing of the local network. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
