Has anybody else seen this before?
I operate a large distributed farm of DNS caching resolvers
for my customers, with many public addresses and behind SLB.
Recently I began seeing a large number of malformed queries
coming from a handful of machines in Europe, targeting
one particular public resolver IP address. And it affects
my servers' performance.
Here are some snoop lines, and notice the recurring strings in it
(across attackers, and within attackers):
{attacker#1} -> {my-victimized-IP} DNS C
,D+[SA[UVDYkjwkdnwlkjw+dnwlkjwkdnwlkjwk”óþ”•ˆ“`nÎlenationcom
edgesuitenet Unknown (17) Unknown (20380) ?
{attacker#1} -> {my-victimized-IP} DNS C
,D+[SA[UVDYkjwkdnwlkjw+dnwlkjwkdnwlkjwk§Cµ"”•ˆ“`nÎl Unknown (28531)
Unknown (3847) ?
{UKattacker#2} -> {my-victimized-IP} DNS C
,D+[SAZVYOZkjwkdnwlkjw+dnwlkjwkdnwlkjwkF-ÃR”•ˆ“`n·itchyÀÀ Unknown (256)
Unknown (512) ?
{UKattacker#2} -> {my-victimized-IP} DNS C
,D+[SAZVYOZkjwkdnwlkjw+dnwlkjwkdnwlkjwk_„`<”•ˆ“`n·lVALLEYNET Unknown
(256) Unknown (512) ?
{UKattacker#2} -> {my-victimized-IP} DNS C
,D+[SAZVYOZkjwkdnwlkjw+dnwlkjwkdnwlkjwk8lÒ×”•ˆ“`n·ladnsnet Unknown
(1100) Unknown (41216) ?
{attacker#3} -> {my-victimized-IP} DNS C
,D+[SAZQXO_kjwkdnwlkjw+dnwlkjwkdnwlkjwkÑkjwk`ngm Unknown (256) Unknown
(512) ?
This happened once before (January 2010) and I managed to make contact
with one of them, and here is what he said:
We've re-initialised our firewall. {that machine} is our internal firewall for
the office here, nothing to do really with the ISP services we run for others.
The traffic appeared to being generated directly from the firewall itself. A
reboot cleared it. We've also upgraded the firmware to the latest patch.
Model of firewall is: FortiWiFi-50B , Firmware 4.0 MR1 Patch 2
Any ideas? What's causing it? How to make it stop?
--
Patrick Larkin Jr - Dallas Texas USA
Earthlink Core Services Engineering
plar...@corp.earthlink.net
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
