Doug Barton wrote:
On 02/18/2014 07:08 PM, Joe Maimon wrote:
Thousand of queries with thousands of source ip addresses.
Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?
Doug
Thousands of queries _from_ thousands of source ip addresses
likely they are spoofed
this is an example of what I am seeing
root@nameserver3:~# baddnsqueries-srcs 9aq.com | wc -l
1337
root@nameserver3:~# grep 9aq.com /var/log/named/queries | wc -l
1415
root@nameserver3:~# baddnsqueries-srcs 9aq.com | sort -rn -k2 | head -n5
99.86.116.243 1
99.219.232.72 1
99.184.19.178 1
99.155.180.193 1
99.129.26.85 1
root@nameserver3:~# grep 9aq.com /var/log/named/queries | head -n5
18-Feb-2014 22:42:30.754 queries: info: client 93.209.49.151#59706:
query: abpdefguvwxym.dlq1.9aq.com IN A + (66.199.132.5)
18-Feb-2014 22:42:30.787 queries: info: client 110.158.165.119#32438:
query: ocpkxdfupiy.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:31.382 queries: info: client 84.14.84.205#63722:
query: abpqeftuiwklz.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:31.649 queries: info: client 45.73.65.145#38948:
query: pvtlirr.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:32.679 queries: info: client 9.121.56.232#18395:
query: amo.dlq1.9aq.com IN A + (66.199.132.5)
root@nameserver3:~# cat /usr/local/sbin/baddnsqueries-srcs
#!/bin/bash
if [[ "$1" == "" ]]; then exit 0; fi
grep -E "$1" /var/log/named/queries | cut -f6 -d' ' | cut -f1 -d# | sort
| uniq |\
while read INPUT; do
if [[ "$INPUT" == "" ]]; then
continue;
fi
echo $INPUT `grep $INPUT /var/log/named/queries | grep -c -E "$1"`;
done
