[nsp-sec] High DNS load in germany

P.Quick at telekom.de P.Quick at telekom.de
Thu Jan 7 14:01:15 EST 2010 

Hi Gerard,

Many thanks for your quick response.

> I noticed that 90% of our DNS calls to your specific
> boxes @ dns01.btx.dtag.de & dns04.btx.dtag.de are for 
> Domain Name Pointer (in-addr.arpa) queries.

I don't have the full picture jet .. But it looks like 
 the problem is only related to a hugh number of 
 Domain Name Pointer (in-addr.arpa) queries.
 But in the moment it's look like, these queries don't 
 come from other DNS only. We see a lot of different sources.

BTW: we have a problem with a new malware distribution here.
 (distributet via email).
  Maybe this is related together.

Many thanks again....
Greetings,
Peter



-----Ursprüngliche Nachricht-----
Von: White, Gerard [mailto:Gerard.White at bellaliant.ca] 
Gesendet: Donnerstag, 7. Januar 2010 19:21
An: Quick, Peter; nsp-security at puck.nether.net
Betreff: RE: [nsp-sec] High DNS load in germany

Greetings Peter.

Upon taking a quick sampling across all our DNS Infrastructure, I noticed that 90% of our DNS calls to your specific
boxes @ dns01.btx.dtag.de & dns04.btx.dtag.de are for Domain Name Pointer (in-addr.arpa) queries.

Although I haven't validated if the IPv4 addresses inside the queries are for your specific IP Space allotments,
could there be a possibility that your customer base is after getting hit with something - hence triggering
the large amount of in-addr.arpa queries from our DNS users?

GW
855 - Bell Aliant

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of P.Quick at telekom.de
Sent: January-07-10 2:24 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] High DNS load in germany

----------- nsp-security Confidential --------

Hello nsp-sec,

During the last days, there are a lot of  reports, that serveral german ISPs 
 have massiv problems with their DNS systems. 
 Major outages were reportet (eg.  1und1, InterntX, schlund,)
 example: http://www.h-online.com/security/news/item/Attack-on-InterNetX-s-DNS-servers-898190.html

Since yesterday we also monitor a 500% increase  of traffic 
 towards our authorised DNS. (till now we don't have any customer impact)
 (mostly against dns01.btx.dtag.de and dns04.btx.dtag.de).

The hugh traffic is only temporary and from serveral sources all over the world.

I have tried to find some information, what coulde be the reason for this big 
 traffic increas.
 Because of this i found the statistic-site from DENIC, about the 
 performace of the k-root-server of the DENIC.
 http://k.root-servers.org/statistics/ROOT/recursion.html
 There you can also seen an hugh increas of Recursion Requests since december.
 (about 700%, also only temporary)

Does anybony see the same traffic-increase and does anybody know
 whats the reason for that ?

In the moment i try to get in contact to other german ISP.
 But my personal contacts didn't responde since now.
 So if anybody from 1und1, schlund, InterntX ... is on the list 
 and is interest in sharing some information about this issue,
 feel free to contact me offline.


Greetings,
Peter Quick 


Deutsche Telekom AG 
Service Zentrale, Group IT Security 
Peter Quick 
SZT-1 
Karl-Lange Strasse 29, 44791 Bochum 
+49 234 505 7800 (Tel.) 
+49 2151 3660 4770 (Fax) 
+49 160 7083944 (Mobil) 
E-Mail: p.quick at telekom.de 
http://www.telekom.com 

Erleben, was verbindet.

Deutsche Telekom AG 
Aufsichtsrat: Prof. Dr. Ulrich Lehner (Vorsitzender) 
Vorstand: René Obermann (Vorsitzender),
Hamid Akhavan, Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme,
Timotheus Höttges, Guido Kerkhoff, Thomas Sattelberger 
Handelsregister: Amtsgericht Bonn HRB 6794 
Sitz der Gesellschaft: Bonn 
WEEE-Reg.-Nr.: DE50478376






_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list