lot of 'ripe.net IN ANY +ED' queries
Daniel Migault
mglt.biz at gmail.com
Tue Jul 24 17:03:43 UTC 2012
Actually we detected these ripe.net ANY requests by observing an
increase in TCP DNS requests due to large DNSSEC responses. IP address
does not seem spoofed. It seems these (very few) client wait 10 sec
before closing their TCP connection, which increases the platform load.
We think it is a malware, but feel free to provide more information on
that topic.
BR
Daniel
On 07/24/2012 05:22 PM, Stephane Bortzmeyer wrote:
> On Mon, Jul 23, 2012 at 04:49:24PM +0200,
> Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
> a message of 15 lines which said:
>
>> Buggy. It parses the DNS packet from the end and therefore fails
>> with EDNS packets (which have the OPT resource record at the end).
> After checking, I stand corrected. This is not the original xt_dns
> (which is buggy) but a fork which fixes the parsing. Sorry for the
> false alarm.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list