lot of 'ripe.net IN ANY +ED' queries

Daniel Migault mglt.biz at gmail.com
Tue Jul 24 17:03:43 UTC 2012


Actually we detected these ripe.net ANY requests by observing an 
increase in TCP DNS requests due to large DNSSEC responses. IP address 
does not seem spoofed. It seems these (very few) client wait 10 sec 
before closing their TCP connection, which increases the platform load.
We think it is a malware, but feel free to provide more information on 
that topic.

BR
Daniel

On 07/24/2012 05:22 PM, Stephane Bortzmeyer wrote:
> On Mon, Jul 23, 2012 at 04:49:24PM +0200,
>   Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
>   a message of 15 lines which said:
>
>> Buggy. It parses the DNS packet from the end and therefore fails
>> with EDNS packets (which have the OPT resource record at the end).
> After checking, I stand corrected. This is not the original xt_dns
> (which is buggy) but a fork which fixes the parsing. Sorry for the
> false alarm.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list