[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Robert McKay robert at mckay.com
Mon Jun 30 05:35:52 ADT 2014


On Mon, 30 Jun 2014 02:48:53 -0300, mspencer at tallships.ca wrote:

> What I was seeing was like these:
>
>     02:58:54.788688 IP 91.133.244.34 > 24.215.115.23: ICMP 
> 91.133.244.34
>                     udp port 53 unreachable, length 70
>
>     02:59:24.048691 IP 192.157.242.141.53 > 24.215.115.23.35510:
>                     1907 ServFail 0/0/0 (42)
>
>     03:00:13.948690 IP 193.151.80.59.53 > 24.215.115.23.41636:
>                     62834 NXDomain 0/0/0 (34)
>
> 205 unique source address in just under an hour, one packet per src 
> address.
>
>
> I found mention of DNS flooding on the net. Presumably people could 
> be
> forging my IP address in packets meant to DOS DNS and then I would 
> get
> the replies. Doesn't look like that's happening here. The source 
> hosts
> are all sorts, many with names that look like subscriber lines.
>
> It appears that numerous people/hosts are sending unsolicited DNS
> replies.  I wonder why, what's happening.
>
>
> Not seeing it tonight.  My usual ISP is down and the backup ISP
> seems to have different filters in place. Only one DNS packet and 
> it's
> an ANY request for census.gov from (no rDNS) someplace in USA:PA.

This is typical DNS flooding behaviour.. an any request for census.gov 
returns a nice big reply that's good for flooding.. 192.157.242.141 and 
193.151.80.59 are open recursors which means they will answer requests 
sent from any IP address. Someone is spoofing requests from your IP to 
the open servers and they reply with more traffic than the attacker had 
to send in queries.

Most likely someone who was previously using your dynamic IP was 
targeted (unless you've recently angered some internet vandals ;)

Rob


More information about the nSLUG mailing list