--- Begin Message ---
On 15.03.25 15:29, Matt Nordhoff wrote:
On Sat, Mar 15, 2025 at 11:14 AM Hans Mayer via dns-operations
<[email protected]> wrote:
The "source" IP has changed a few times but I think it's always within
60.26.0.0/16. Right now it's 60.26.67.97.
I don't think it's "right now". It seems there is a pool of such
"services" acting.
I saw on different resolvers different IP addresses, but always the same
IP address for the same DNS server for a certain time interval. And from
time to time the IP address disappears and a new one comes up.
Since it could be a reflection/amplification attack with spoofed
source addresses, that might be the victim rather than anyone
responsible.
For an attack it comes in too regular intervals, in my opinion.
This is the time series for the last 2 weeks for 60.26.0.0/16 with 2 IP
addresses involved.
Average is about 122.3 queries in 3 hours. I don't have the deviation
ready to hand.
// Hans
--
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
