Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

DNS "attack"

  • From: Mark Kent
  • Date: Sun Aug 25 16:21:42 2002

FYI,

I'm seeing a lot of DNS lookups for all the three letter domain names
for which we are listed as authoritative (we have five).  

The requests look like this:

req: nlookup(foo.com) id 64450 type=255 class=255

 212.100.232.17.domain > myserver.domain:  31881+ ANY ANY? foo.com. (25)
                         4500 0035 1e38 0000 ed11 e20a d464 e811
                         c7f5 4909 0035 0035 0021 0000 7c89 0100
                         0001 0000 0000 0000 0365 6f73 0363 6f6d
                         0000 ff00 ff

We get about 400 requests per minute, per "attacking" machine,
per authoritative name server, per domain.  

This happened on July 25 with these two sources:

194.186.87.197
130.94.23.70

and today, August 25, with this source:

212.100.232.17

Clearly, this is not a problem right now.  But if the
number of attacking machines grows, then any machine that
serves many three-letter domain names might notice.

And who knows, maybe the cretins will get creative and move
to four letter domains!

Just FYI,
-mark

P.S.  I mentioned the two dates above (7/25, 8/25) purely for
      entertainment purposes.  Consistent with the NY Times
      article last weekend about putting too much weight in 
      events that are merely coincidences, I don't mean to imply
      that there is a "25th of the month" conspiracy afoot.


      




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.