We've been seeing the same thing since 2010-06-10: 22:13:19.687981 IP 72.236.167.197.41789 > 72.236.167.138.domain: 38783+ A? jkl.cnr.cn. (28) 22:13:19.773076 IP 72.236.167.124.33327 > 72.236.167.138.domain: 38783+ A? i10.aliimg.com. (32) 22:13:19.855750 IP 72.236.167.169.33381 > 72.236.167.138.domain: 38783+ A? www.vrp3d.com. (31) 22:13:19.941155 IP 72.236.167.200.33005 > 72.236.167.138.domain: 38783+ A? www.51seer.com. (32) 22:13:20.026342 IP 72.236.167.141.36652 > 72.236.167.138.domain: 38783+ A? img1.kaixin001.com.cn. (39) 22:13:20.102540 IP 72.236.167.188.39525 > 72.236.167.138.domain: 38783+ A? pic.kaixin001.com.cn. (38) 22:13:20.204403 IP 72.236.167.103.37838 > 72.236.167.138.domain: 38783+ A? pic.kaixin001.com. (35) 22:13:20.791201 IP 72.236.167.186.38958 > 72.236.167.138.domain: 38783+ A? pic1.kaixin001.com. (36) 22:13:20.876527 IP 72.236.167.121.33000 > 72.236.167.138.domain: 38783+ A? pic1.kaixin001.com.cn. (39) 22:13:20.971393 IP 72.236.167.203.33726 > 72.236.167.138.domain: 38783+ A? logo.kaixin001.com.cn. (39) 22:13:21.051831 IP 72.236.167.120.35298 > 72.236.167.138.domain: 38783+ A? qqtest.cdn20.com. (34) 22:13:21.132215 IP 72.236.167.196.34862 > 72.236.167.138.domain: 38783+ A? upload.elle.cn. (32) 22:13:21.218372 IP 72.236.167.116.35073 > 72.236.167.138.domain: 38783+ A? www.elle.cn. (29)
Spoofed, all with a TTL of 3. Given that all of the domains in question appear to have nameservers in common, I assumed someone was trying to make us participate in a DDoS attack, and started dropping all of the traffic. On Jun 16, 2010, at 9:01 PM, Jon Lewis wrote: > I just took a closer look at something odd I'd noticed several days ago. One > of our DNS servers was sending crazy amounts of ARP requests for IPs in the > /24 its main IP is in. What I've found is we're getting hit with DNS > requests that look like they're from "typical internet traffic for someone in > China" hitting this DNS server from IPs in its /24 which are currently not in > use (at least on our local network). It would appear someone in China is > using our IP space, presumably behind a NAT router, and they're leaking some > traffic non-NAT'd. > > 20:53:41.361734 IP 209.208.121.66.41755 > 209.208.121.126.53: 15939+ A? > ns5.z.lxdns.com. (33) > 20:53:43.523210 IP 209.208.121.95.39393 > 209.208.121.126.53: 15939+ A? > www.nanhutravel.com. (37) > 20:53:48.411805 IP 209.208.121.66.33390 > 209.208.121.126.53: 15939+ A? > test.csxm.cdn20.com. (37) > 20:53:50.557680 IP 209.208.121.135.40056 > 209.208.121.126.53: 15939+ A? > rextest2.lxdns.com. (36) > 20:53:56.918993 IP 209.208.121.135.37291 > 209.208.121.126.53: 15939+ A? > www.51seer.com. (32) > 20:54:20.033902 IP 209.208.121.95.37544 > 209.208.121.126.53: 15939+ A? > image.dhgate.cdn20.com. (40) > 20:54:21.900295 IP 209.208.121.66.35144 > 209.208.121.126.53: 15939+ A? > static.xn-app.com. (35) > 20:54:27.711853 IP 209.208.121.66.33518 > 209.208.121.126.53: 15939+ A? > oa.hanhe.com. (30) > 20:54:29.642938 IP 209.208.121.135.41723 > 209.208.121.126.53: 15939+ A? > pic1.kaixin001.com. (36) > 20:54:32.357414 IP 209.208.121.95.38564 > 209.208.121.126.53: 15939+ A? > rr.snyu.com. (29) > 20:54:38.901315 IP 209.208.121.95.37840 > 209.208.121.126.53: 15939+ A? > edu.163.com. (29) > 20:54:39.807385 IP 209.208.121.95.36069 > 209.208.121.126.53: 15939+ A? > image.dhgate.cdn20.com. (40) > 20:54:40.833778 IP 209.208.121.66.34949 > 209.208.121.126.53: 15939+ A? > uphn.snswall.com. (34) > 20:54:42.070294 IP 209.208.121.95.38405 > 209.208.121.126.53: 15939+ A? > zwgk.cma.gov.cn. (33) > 20:54:42.189939 IP 209.208.121.135.36637 > 209.208.121.126.53: 15939+ A? > btocdn.52yeyou.com. (36) > 20:54:45.767299 IP 209.208.121.95.41405 > 209.208.121.126.53: 15939+ A? > img1.kaixin001.com.cn. (39) > 20:54:48.595582 IP 209.208.121.66.40099 > 209.208.121.126.53: 15939+ A? > rextest2.cdn20.com. (36) > 20:54:49.480147 IP 209.208.121.95.42363 > 209.208.121.126.53: 15939+ A? > www.dameiren.com. (34) > 20:54:50.714200 IP 209.208.121.135.41497 > 209.208.121.126.53: 15939+ A? > pic1.kaixin001.com.cn. (39) > 20:54:54.116841 IP 209.208.121.135.36828 > 209.208.121.126.53: 15939+ A? > i.jstv.com. (28) > > I hope they got a good deal on the IP space...and a better deal on their > buggy router. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >
