[cisco-voip] CUCM 8.6 DNS Attack/Spam?
Adam Frankel
adamgfrankel at gmail.com
Mon Mar 13 13:54:00 EDT 2017
Hi All,
I have a customer with an 8.6(2) subscriber spamming our Primary and
secondary DNS servers with PTR lookups for what appear to be IP phone
addresses. This traffic accounts for 40% of the inbound DNS requests
in the enterprise.
Symptoms:
-Dozens of PTR record requests every second of everyday continuously.
-Primary DNS Server is now returning intermittent server failures
-Only a single subscriber with the issue even though others have phones
registered, while this one does not
-Only 2 IP Phones registered to that particular subscriber (although it
is a backup for several thousand)
-The outbound DNS request not seem to be corresponding to any particular
inbound request
-Checked CLI logs (to validate no CLI command require reverse DNS lookup
was being run such as "show network status")-
-Nothing in CiscoSyslog or messages log of particular note
-Server has a 24 bit subnet mask, IP phones are in another subnet.
Anyone seen this before? This sounds all too familiar, but I am having
a difficult time pinpointing it.
Thanks,
--
Adam Frankel
CCIE 31689
More information about the cisco-voip
mailing list