On Wed, Jul 07, 2010 at 08:07:07AM -0400, Drew Weaver wrote: > Howdy, > > Recently I have been noticing a good amount of totally bogus DNS traffic > coming in on my transit links via my own IP addresses (spoofed). > > SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp > x.x.145.161(0) -> x.x.145.235(0), 1 packet > SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp > x.x.146.74(0) -> x.x.145.235(0), 1 packet > SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp > x.x.146.70(0) -> x.x.145.235(0), 1 packet > SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp > x.x.146.57(0) -> x.x.145.235(0), 1 packet > > There are multiple different instances of this traffic, the pattern seems to > be: > > -The source is always 'my own IPs' and obviously spoofed. > -It's DNS traffic > -The "source addresses" all seem to be randomly chosen from the same /23 as > the destination address (they cycle through randomly). > > Has anyone else noticed anything similar coming in on their transit links or > am I just lucky? > > Normally my iACL catches this but I've just been noticing more of it lately. > > -Drew > >
Yeah... I've seen this type of behaviour w/ folks picking random source addresses from the IPv6 /32... Sure wish I could announce something smaller. --bill