[cisco-voip] CUCM 8.6 DNS Attack/Spam?

Joe Martini joemar2 at cisco.com
Mon Mar 13 14:02:57 EDT 2017


Hi Adam,

The Dialed Number Analyzer (DNA) service is likely responsible for this (CSCui45986).  If you don’t need it on that subscriber try to stop it and confirm that the flood stops.

Joe

On Mar 13, 2017, at 1:54 PM, Adam Frankel <adamgfrankel at gmail.com> wrote:

Hi All,

I have a customer with an 8.6(2) subscriber spamming our Primary and secondary DNS servers with PTR lookups for what appear to be IP phone addresses.   This traffic accounts for 40% of the inbound DNS requests in the enterprise.

Symptoms:

-Dozens of PTR record requests every second of everyday continuously.
-Primary DNS Server is now returning intermittent server failures
-Only a single subscriber with the issue even though others have phones registered, while this one does not
-Only 2 IP Phones registered to that particular subscriber (although it is a backup for several thousand)
-The outbound DNS request not seem to be corresponding to any particular inbound request
-Checked CLI logs (to validate no CLI command require reverse DNS lookup was being run such as "show network status")-
-Nothing in CiscoSyslog or messages log of particular note
-Server has a 24 bit subnet mask, IP phones are in another subnet.

Anyone seen this before?  This sounds all too familiar, but I am having a difficult time pinpointing it.

Thanks,
--
Adam Frankel
CCIE 31689

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip



More information about the cisco-voip mailing list