[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"
robert at mckay.com
Mon Jun 30 05:35:52 ADT 2014
On Mon, 30 Jun 2014 02:48:53 -0300, mspencer at tallships.ca wrote:
> What I was seeing was like these:
> 02:58:54.788688 IP 188.8.131.52 > 184.108.40.206: ICMP
> udp port 53 unreachable, length 70
> 02:59:24.048691 IP 220.127.116.11.53 > 18.104.22.168.35510:
> 1907 ServFail 0/0/0 (42)
> 03:00:13.948690 IP 22.214.171.124.53 > 126.96.36.199.41636:
> 62834 NXDomain 0/0/0 (34)
> 205 unique source address in just under an hour, one packet per src
> I found mention of DNS flooding on the net. Presumably people could
> forging my IP address in packets meant to DOS DNS and then I would
> the replies. Doesn't look like that's happening here. The source
> are all sorts, many with names that look like subscriber lines.
> It appears that numerous people/hosts are sending unsolicited DNS
> replies. I wonder why, what's happening.
> Not seeing it tonight. My usual ISP is down and the backup ISP
> seems to have different filters in place. Only one DNS packet and
> an ANY request for census.gov from (no rDNS) someplace in USA:PA.
This is typical DNS flooding behaviour.. an any request for census.gov
returns a nice big reply that's good for flooding.. 188.8.131.52 and
184.108.40.206 are open recursors which means they will answer requests
sent from any IP address. Someone is spoofing requests from your IP to
the open servers and they reply with more traffic than the attacker had
to send in queries.
Most likely someone who was previously using your dynamic IP was
targeted (unless you've recently angered some internet vandals ;)
More information about the nSLUG