They are probably spoofed IPs. So those are the target IP IPs of a DDoS
What king of amplification factor does your DNS server have? I bet with the
changes you’ve made, it’s super high. People are looking for DNS servers like
that.
On the contrary, the reponse packets are tiny.
$ host -t txt comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net descriptive text "ab...@comcast.net"
$ host -t hinfo comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net host information "lookup" "comcast.net"
Those reply packets are 108 and 109 bytes, no addditional section, no
DNSSSEC, no nothing.
Any other ideas? One clue is that the queries have random capitalization
which would be consistent with them really coming from Google.
Every once in a while someone decides to look up every domain in the
world and DoS'es it until I update my packet filters. This week it's
been this set of IPs that belong to Google. I don't think they're
8.8.8.8. Any idea what they are? Random Google Cloud customers? A
secret DNS mapping project?
172.253.1.133
172.253.206.36
172.253.1.130
172.253.206.37
172.253.13.196
172.253.255.36
172.253.13.197
172.253.1.131
172.253.255.35
172.253.255.37
172.253.1.132
172.253.13.193
172.253.1.129
172.253.255.33
172.253.206.35
172.253.255.34
172.253.206.33
172.253.206.34
172.253.13.194
172.253.13.195
172.71.125.63
172.71.117.60
172.71.133.51
