[nsp-sec] Many fake incoming DNS queries ?
Kurt Jaeger
pi at nepustil.net
Tue Jun 14 10:52:30 EDT 2011
Hi!
Cleaning up after the attack from Friday evening, I found a lot
of strange DNS queries coming in from one of our upstreams
and would ask around if you can find flows of a similar nature
in your networks (and it's source):
Basically, there are queries that match our allocation and
go to our nameserver (but are coming from outside our AS):
src net 212.71.192.0/19 and dst host 212.71.192.22 and dst port 53
The packets look chinese 8-)
16:49:56.018005 IP 212.71.192.17.39795 > 212.71.192.22.53: 16749+ A? gy.focus.cn. (29)
16:49:56.054360 IP 212.71.192.28.42448 > 212.71.192.22.53: 16749+ A? a.yoho.cn. (27)
16:49:56.159429 IP 212.71.192.15.41021 > 212.71.192.22.53: 16749+ A? rtmp1.renren.com. (34)
16:49:56.166550 IP 212.71.192.14.40095 > 212.71.192.22.53: 16749+ A? trend.yoho.cn. (31)
16:49:56.209155 IP 212.71.192.40.36425 > 212.71.192.22.53: 19735+ A? cdntest.igou.cn. (33)
16:49:56.217273 IP 212.71.192.81.36664 > 212.71.192.22.53: 19735+ A? www.taoxie.cn. (31)
16:49:56.218397 IP 212.71.192.110.40866 > 212.71.192.22.53: 16749+ A? v1.jiathis.com. (32)
I would appreciate any hints on the source of this traffic.
--
MfG/Best regards, Kurt Jaeger 9 years to go !
Dr.-Ing. Nepustil & Co. GmbH fon +49 7123 93006-0 pi at nepustil.net
Rathausstr. 3 fax +49 7123 93006-99
72658 Bempflingen mob +49 171 3101372
More information about the nsp-security
mailing list