Hi all,
We have noticed a huge spike in transfer last week, that calmed down to a
transfer rate of about 191 kb/s since. The original outgoing spike (1.5
mb/s) lasted about 1 day, but, as mentioned has subsided.
I have never seen this before and are wondering if this is some kind of DoS
or other attack.
I have looked several times using data capture, but the data does not appear
to be readable.
The UDP data packets are coming through port 53.
Here is a snip of the captured data below. Any hints or suggestions will be
appreciated.
22:27:56.607435 IP (tos 0x0, ttl 64, id 17307, offset 0, flags [none],
proto: UDP (17), length
: 1027, bad cksum 0 (->1480)!) ns1.mynameserver.com.domain >
72-45-3-047-dhcp.gsv.md.atlanticbb.ne
t.46886: [bad udp cksum 1087!] 47670*- q: Type46? . 4/13/1 . Type46, .
Type46, . Type46, . Typ
e46 ns: . NS f.root-servers.net., . NS d.root-servers.net., . NS
m.root-servers.net., . NS h.ro
ot-servers.net., . NS i.root-servers.net., . NS e.root-servers.net., . NS
a.root-servers.net.,
. NS j.root-servers.net., . NS c.root-servers.net., . NS
b.root-servers.net., . NS k.root-serve
rs.net., . NS l.root-servers.net., . NS g.root-servers.net. ar: . OPT
UDPsize=4096 (999)
0x0000: 4500 0403 439b 0000 4011 0000 cf70 0403 E...C...@....p..
0x0010: 482d 032f 0035 b726 03ef 22d0 ba36 8500 H-./.5.&.."..6..
0x0020: 0001 0004 000d 0001 0000 2e00 0100 002e ................
0x0030: 0001 0001 5180 0093 0006 0800 0001 5180 ....Q.........Q.
0x0040: 517c 6680 5173 1df0 5064 008c e342 a7e2 Q|f.Qs..Pd...B..
0x0050: df8b e619 dd4e a90d 8e45 fb3f ae67 863c .....N...E.?.g.<
0x0060: 228a 1ef7 e736 533e 2868 6ed2 90ff cd3b "....6S>(hn....;
0x0070: cf6c b32c e634 3709 296d a86d c14a ee17 .l.,.47.)m.m.J..
0x0080: 8b65 7046 6f3f a0f1 1654 486c d8ac d036 .epFo?...THl...6
0x0090: 03a7 ce4e a039 4c9d 3530 2d79 017e 0ecd ...N.9L.50-y.~..
0x00a0: f92c c576 8560 8570 b396 d053 407b ee6e .,.v.`.p...S@{.n
0x00b0: b4c5 a40e 7326 b281 721d 3910 dd69 d546 ....s&..r.9..i.F
0x00c0: 97d0 5fb1 ac0e 4315 5604 b900 002e 0001 .._...C.V.......
0x00d0: 0007 e900 0093 0002 0800 0007 e900 517c ..............Q|
0x00e0: 6680 5173 1df0 5064 002d acf6 e189 72bf f.Qs..Pd.-....r.
0x00f0: 183d efc2 1bf5 ecf1 3e52 3c1f a2e7 cd03 .=......>R<.....
0x0100: efb2 2d03 2223 2743 560e 4f68 7c6b db5b ..-."#'CV.Oh|k.[
0x0110: 053b 9940 29a9 19e3 b108 2ae7 188e 84ee .;.@).....*.....
0x0120: a926 c7a0 02f4 8344 f2a3 8fe0 d7b9 ffeb .&.....D........
0x0130: 39ee 54b3 f5a2 f1e6 7578 a893 126c 8d85 9.T.....ux...l..
0x0140: b6c8 1086 b441 5fe9 59c3 cbd1 a885 0afa .....A_.Y.......
0x0150: cb12 bbfe 8367 82c8 2b27 ed68 c394 72f6 .....g..+'.h..r.
0x0160: 3ac0 c193 e196 5b10 1100 002e 0001 0002 :.....[.........
0x0170: a300 0113 0030 0800 0002 a300 5186 f27f .....0......Q...
0x0180: 5173 2c00 4a5c 0023 596e 6b3c 0582 bf8f Qs,.J\.#Ynk<....
0x0190: 3c6b b7e6 a103 67ca 4057 9e22 90e0 fa5d <k....g.@W."...]
0x01a0: f3cb f949 70b5 364c c849 bd74 9a76 c46d ...Ip.6L.I.t.v.m
0x01b0: a11c 82b8 7bec 8537 106a 1014 1ec5 0a73 ....{..7.j.....s
0x01c0: 3a98 e2cc efa1 d1c4 54f3 3887 2973 0cfc :.......T.8.)s..
0x01d0: 66c5 d54e fbbc c644 5208 6c61 d5d8 4254 f..N...DR.la..BT
0x01e0: 0362 547d 997a e8e3 8d94 e1dc dc59 8b9f .bT}.z.......Y..
0x01f0: 7fe4 1854 19e8 3a1d 3691 8743 79a2 d746 ...T..:.6..Cy..F
0x0200: 0a6d e776 23ea 939b 923c 1677 a459 09e2 .m.v#....<.w.Y..
0x0210: e36b 5154 d200 1061 a669 a352 c87c 82d6 .kQT...a.i.R.|..
0x0220: 3869 7347 4d24 9902 3e18 942b 3711 056c 8isGM$..>..+7..l
0x0230: f32a 956b 31fd 9e25 1470 b792 ba6f 0c09 .*.k1..%.p...o..
0x0240: 547c 28c0 4d19 5f96 3686 ffc8 ebce f29b T|(.M._.6.......
0x0250: 8ab2 31cc 2fbe 62a7 e38e ca0d 3214 4984 ..1./.b.....2.I.
0x0260: 86c6 bddb 335a 9047 cf30 cb06 67b6 970c ....3Z.G.0..g...
0x0270: 9c9f 37b1 be32 7394 af17 865b e9b2 5e02 ..7..2s....[..^.
0x0280: 18ec 58e0 77e0 0100 002e 0001 0001 5180 ..X.w.........Q.
0x0290: 0093 002f 0800 0001 5180 517c 6680 5173 .../....Q.Q|f.Qs
0x02a0: 1df0 5064 006c b2c0 9e7f 9d29 87d4 d8c7 ..Pd.l.....)....
0x02b0: 90f8 4e77 a3aa 9fba c3e6 acdf 6523 c6f7 ..Nw........e#..
0x02c0: 4312 e4e7 5b05 68ef ebcc edbb b1cd 70a9 C...[.h.......p.
0x02d0: f7ee 86a6 93d0 ef25 9703 83e2 6e5a 9ff9 .......%....nZ..
0x02e0: 0fd5 38ed 2d98 0f50 987b 3ff8 d8a8 7f9f ..8.-..P.{?.....
0x02f0: 0b8c c88e 6d03 4718 7b03 2f07 d0fa d8bb ....m.G.{./.....
0x0300: 4ce1 91c0 b401 f405 4e93 7c8b c7f6 0dab L.......N.|.....
0x0310: 2814 81c9 b231 efac c0f1 1ef4 48b5 f796 (....1......H...
0x0320: 357f 40a5 8400 0002 0001 0007 e900 0014 5.@.............
0x0330: 0166 0c72 6f6f 742d 7365 7276 6572 7303 .f.root-servers.
0x0340: 6e65 7400 0000 0200 0100 07e9 0000 0401 net.............
0x0350: 64c3 1600 0002 0001 0007 e900 0004 016d d..............m
0x0360: c316 0000 0200 0100 07e9 0000 0401 68c3 ..............h.
0x0370: 1600 0002 0001 0007 e900 0004 0169 c316 .............i..
0x0380: 0000 0200 0100 07e9 0000 0401 65c3 1600 ............e...
0x0390: 0002 0001 0007 e900 0004 0161 c316 0000 ...........a....
0x03a0: 0200 0100 07e9 0000 0401 6ac3 1600 0002 ..........j.....
0x03b0: 0001 0007 e900 0004 0163 c316 0000 0200 .........c......
0x03c0: 0100 07e9 0000 0401 62c3 1600 0002 0001 ........b.......
0x03d0: 0007 e900 0004 016b c316 0000 0200 0100 .......k........
0x03e0: 07e9 0000 0401 6cc3 1600 0002 0001 0007 ......l.........
0x03f0: e900 0004 0167 c316 0000 2910 0000 0000 .....g....).....
0x0400: 0000 00
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
