[cisco-voip] CUCM 8.6 DNS Attack/Spam?

Adam Frankel adamgfrankel at gmail.com
Mon Mar 13 14:19:57 EDT 2017


Thank Joe,

You rock!

--
Adam

On 3/13/2017 2:02 PM, Joe Martini wrote:
> Hi Adam,
>
> The Dialed Number Analyzer (DNA) service is likely responsible for this (CSCui45986).  If you don’t need it on that subscriber try to stop it and confirm that the flood stops.
>
> Joe
>
> On Mar 13, 2017, at 1:54 PM, Adam Frankel <adamgfrankel at gmail.com> wrote:
>
> Hi All,
>
> I have a customer with an 8.6(2) subscriber spamming our Primary and secondary DNS servers with PTR lookups for what appear to be IP phone addresses.   This traffic accounts for 40% of the inbound DNS requests in the enterprise.
>
> Symptoms:
>
> -Dozens of PTR record requests every second of everyday continuously.
> -Primary DNS Server is now returning intermittent server failures
> -Only a single subscriber with the issue even though others have phones registered, while this one does not
> -Only 2 IP Phones registered to that particular subscriber (although it is a backup for several thousand)
> -The outbound DNS request not seem to be corresponding to any particular inbound request
> -Checked CLI logs (to validate no CLI command require reverse DNS lookup was being run such as "show network status")-
> -Nothing in CiscoSyslog or messages log of particular note
> -Server has a 24 bit subnet mask, IP phones are in another subnet.
>
> Anyone seen this before?  This sounds all too familiar, but I am having a difficult time pinpointing it.
>
> Thanks,
> --
> Adam Frankel
> CCIE 31689
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>



More information about the cisco-voip mailing list