On 10/17/2012 07:39 PM, Dennis Clarke wrote:
I have the exact same problem with an ip inside State of Colorado
General Government Computer subnet :
http://whois.arin.net/rest/org/SCGGC
That's not exactly a fly-by-night organisation; have you contacted them?
Some server there has been pounding queries at me at a rate of
48,000+ a day :
Some packets are arriving with that source IP. Big difference.
It's possible (likely?) the sources are spoofed, and someone is inducing
*you* to bombard that IP with replies (or trying to).
Queries show up in bunches, while the average is every 1.7 secs I see
dozens of queries all arrive nearly at the same time, then a ten
second pause, then again another burst.
Makes no sense to me what is going on there.
Attacker sends 1 million DNS queries of 100 bytes each, with a spoofed
source. DNS server sends 1 million DNS replies of 1000 bytes each to the
spoofed IP. 10x amplification, means the attacker can use lower-spec
machines to overload a target.
Or something is just broken, and the source IPs are real - in which
case, contact them.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
