At dnswl.org, we collect (DNS) logs to identify abusers of our service. During last week, the logs increased by a factor of 10 (usually this is pretty stable, going up an down a few percents), so we thought we’d investigate. And we found something new (to us).
From one particular IPv6 range, each and every DNS query was sent from a unique IPv6 /128, and every /128 seen was used exactly once. Since we do not correlate source and question of DNS queries received (for privacy reasons), we can not tell what exactly was being asked. We can work around this issue in a number of ways (by blocking them from our DNS servers, excluding them from the log aggregation etc), so no direct harm here. However, if such behaviour becomes more widespread, it may have a number of collateral effects (for DNS caches, in log handling, in reputation management systems etc). Is this something others have seen as well (either on the DNSxL lookup side, or in SMTP connections)? — Matthias -- Matthias Leisi Katzenrütistrasse 68, 8153 Rümlang, Switzerland Mobile +41 79 377 04 43 matth...@leisi.net Skype matthias.leisi
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
