[cisco-voip] CUCM 8.6 DNS Attack/Spam?

Adam Frankel adamgfrankel at gmail.com
Mon Mar 13 13:54:00 EDT 2017


Hi All,

I have a customer with an 8.6(2) subscriber spamming our Primary and 
secondary DNS servers with PTR lookups for what appear to be IP phone 
addresses.   This traffic accounts for 40% of the inbound DNS requests 
in the enterprise.

Symptoms:

-Dozens of PTR record requests every second of everyday continuously.
-Primary DNS Server is now returning intermittent server failures
-Only a single subscriber with the issue even though others have phones 
registered, while this one does not
-Only 2 IP Phones registered to that particular subscriber (although it 
is a backup for several thousand)
-The outbound DNS request not seem to be corresponding to any particular 
inbound request
-Checked CLI logs (to validate no CLI command require reverse DNS lookup 
was being run such as "show network status")-
-Nothing in CiscoSyslog or messages log of particular note
-Server has a 24 bit subnet mask, IP phones are in another subnet.

Anyone seen this before?  This sounds all too familiar, but I am having 
a difficult time pinpointing it.

Thanks,
--
Adam Frankel
CCIE 31689



More information about the cisco-voip mailing list