They are probably spoofed IPs. So those are the target IP IPs of a DDoS
What king of amplification factor does your DNS server have? I bet with the changes you’ve made, it’s super high. People are looking for DNS servers like that. Tom > On Dec 3, 2023, at 10:49 AM, John Levine <jo...@iecc.com> wrote: > > At contacts.abuse.net, I have a little stunt DNS server that provides domain > contact info, e.g.: > > $ host -t txt comcast.net.contacts.abuse.net > comcast.net.contacts.abuse.net descriptive text "ab...@comcast.net" > > $ host -t hinfo comcast.net.contacts.abuse.net > comcast.net.contacts.abuse.net host information "lookup" "comcast.net" > > Every once in a while someone decides to look up every domain in the > world and DoS'es it until I update my packet filters. This week it's > been this set of IPs that belong to Google. I don't think they're > 8.8.8.8. Any idea what they are? Random Google Cloud customers? A > secret DNS mapping project? > > 172.253.1.133 > 172.253.206.36 > 172.253.1.130 > 172.253.206.37 > 172.253.13.196 > 172.253.255.36 > 172.253.13.197 > 172.253.1.131 > 172.253.255.35 > 172.253.255.37 > 172.253.1.132 > 172.253.13.193 > 172.253.1.129 > 172.253.255.33 > 172.253.206.35 > 172.253.255.34 > 172.253.206.33 > 172.253.206.34 > 172.253.13.194 > 172.253.13.195 > 172.71.125.63 > 172.71.117.60 > 172.71.133.51 > > R's, > John
