[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Hatem Nassrat hnassrat at gmail.com
Mon Jun 30 03:10:27 ADT 2014


On Mon, Jun 30, 2014 at 2:48 AM, Mike Spencer <mspencer at tallships.ca> wrote:

> What I was seeing was like these:
>
>     02:58:54.788688 IP 91.133.244.34 > 24.215.115.23: ICMP 91.133.244.34
>                     udp port 53 unreachable, length 70
>
>     02:59:24.048691 IP 192.157.242.141.53 > 24.215.115.23.35510:
>                     1907 ServFail 0/0/0 (42)
>
>     03:00:13.948690 IP 193.151.80.59.53 > 24.215.115.23.41636:
>                     62834 NXDomain 0/0/0 (34)
>
> 205 unique source address in just under an hour, one packet per src
> address.
>

Hope I am not stating the obvious, to me it seems that these could be
traceroutes; my guess is due to the ICMP packets and DNS packets. AFAIR
traceroute commands usually broadcast messages and wait for an answer.


-- 
Hatem Nassrat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20140630/7a43d16d/attachment.html>


More information about the nSLUG mailing list