On Sun, 3 Dec 2023, Michael Hare wrote:
This is little consolation, but at AS3128, I see the same thing to our downstream at
times, claiming to come from both 13335 and 15169 often simultaneously at the tune of
25Kpps , "assuming it's not spoofed", which is pragmatically impossible to
prove for me given our indirect relationships with these companies. When I see these
events, I typically also see a wide variety of country codes participating
simultaneously. Again, assuming it's not spoofed. To me it just looks like effective
harassment with 13335/15169 helping out. I pine for the internet of the 1990s.
Assuming it's really Google and Cloudflare, it is probably not malicious,
just very inept mail admins.
They assume that abuse.net is some sort of DNSBL so they configure their
mail server to query it for every domain in every message they see, even
though the results are useless. I have never been able to get anyone who
does this to stop.
It's not unlike the multirbl page at valli.org which proves the truism
that any idiot can run a blacklist and many idiots do. He included the
abuse.net results and despite a warning right next to the results saying
it's not a blacklist, I got a stream of outraged people insisting I was
personally blocking their mail. So I was finally able to get him to take
it out by returning this custom result:
'Blacklisted. To remove send $100 to x...@valli.org'
R's,
John
Recent events in GMT for us were the following, curious if you see the same
~ Nov 26 05:40
~ Nov 30 00:40
~ Nov 30 05:55
Application agnostic, on the low $ end for "fixes", if it's either do something
or face an outage, I've found some utility in short term automated DSCP coloring on
ingress paired with light touch policing as close to the end host as possible, which at
least keeps things mostly working during times of conformance. Cheap/fast and working
... most of the time. Definitely not great or complete at all, and a role I'd rather not
play as an educational ISP/enterprise.
So what are most folks doing to survive crap like this? Nothing/waiting it
out? Oursourcing DNS? Scrubbing appliance? Poormans stuff like I mention
above?
-Michael
-----Original Message-----
From: NANOG <nanog-bounces+michael.hare=wisc....@nanog.org> On
Behalf Of John R. Levine
Sent: Sunday, December 3, 2023 1:18 PM
To: Peter Potvin <peter.pot...@accuristechnologies.ca>
Cc: nanog@nanog.org
Subject: Re: What are these Google IPs hammering on my DNS server?
Did a bit of digging on Google's developer site and came across this:
https://developers.google.com/speed/public-
dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_
queries
Looks like the IPs you mentioned belong to Google's public DNS resolver
based on that list on their site. They could also be spoofed though from a
DNS AMP attack, so keep that in mind.
Per my recent message, the replies are tiny so if it's an amplification
attack, it's a very incompetent one. The queries are case randomized so I
guess it's really Google. Sigh.
If anyone is wondering, I have a passive aggressive countermeasure against
some overqueriers that returns ten NS referral names, and then 25 random
IP addresses for each of those names, but I don't do that to Google.
