At contacts.abuse.net, I have a little stunt DNS server that provides domain
contact info, e.g.:
$ host -t txt comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net descriptive text "ab...@comcast.net"
$ host -t hinfo comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net host inf
Before when I had my honeypot firewall off everything that crossed it's
threshold, I ended up blocking myself from a variety of authoritative servers,
including Google's.
-
Mike Hammett
Intelligent Computing Solutions
Midwest Internet Exchange
The Brothers WISP
- Original Mes
They are probably spoofed IPs. So those are the target IP IPs of a DDoS
What king of amplification factor does your DNS server have? I bet with the
changes you’ve made, it’s super high. People are looking for DNS servers like
that.
Tom
> On Dec 3, 2023, at 10:49 AM, John Levine wrote:
>
Did a bit of digging on Google's developer site and came across this:
https://developers.google.com/speed/public-dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_queries
Looks like the IPs you mentioned belong to Google's public DNS resolver
based on that list on their site. T
They are probably spoofed IPs. So those are the target IP IPs of a DDoS
What king of amplification factor does your DNS server have? I bet with the
changes you’ve made, it’s super high. People are looking for DNS servers like
that.
On the contrary, the reponse packets are tiny.
$ host -t
172.253.X.X are Google DNS : https://www.gstatic.com/ipranges/publicdns.json
172.71.X.X are Cloudflare : https://www.cloudflare.com/ips-v4/#
On Sun, Dec 3, 2023 at 1:49 PM John Levine wrote:
> At contacts.abuse.net, I have a little stunt DNS server that provides
> domain contact info, e.g.:
>
Did a bit of digging on Google's developer site and came across this:
https://developers.google.com/speed/public-dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_queries
Looks like the IPs you mentioned belong to Google's public DNS resolver
based on that list on their site.
John-
This is little consolation, but at AS3128, I see the same thing to our
downstream at times, claiming to come from both 13335 and 15169 often
simultaneously at the tune of 25Kpps , "assuming it's not spoofed", which is
pragmatically impossible to prove for me given our indirect relationshi
On Sun, 3 Dec 2023, Michael Hare wrote:
This is little consolation, but at AS3128, I see the same thing to our downstream at
times, claiming to come from both 13335 and 15169 often simultaneously at the tune of
25Kpps , "assuming it's not spoofed", which is pragmatically impossible to
prove fo
> On 4 Dec 2023, at 08:21, Michael Hare via NANOG wrote:
>
> John-
>
> This is little consolation, but at AS3128, I see the same thing to our
> downstream at times, claiming to come from both 13335 and 15169 often
> simultaneously at the tune of 25Kpps , "assuming it's not spoofed", which i
Just set TC=1 for those clients. If you get queries over TCP then they where
not spoofed. If they are using DNS COOKIE (RFC 7873) you can send back
BADCOOKIE to the initial (client cookie only) UDP request with your server
cookie. Identifying real DNS clients has been possible for years now.
11 matches
Mail list logo
