Possible DDoS?
Dennis Clarke
dclarke at blastwave.org
Wed Oct 17 18:39:32 UTC 2012
> From time to time I notice a large number of queries like these to one
> of my external dns servers:
>
> 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet *
> ?
<snip>
>
> Does this rise to the level of a DDoS attack?
> No NS record for this IP.
> I blackhole IPs that behave like this.
> Thanks
>
I have the exact same problem with an ip inside State of Colorado General Government Computer subnet :
http://whois.arin.net/rest/org/SCGGC
Some server there has been pounding queries at me at a rate of 48,000+ a day :
# head -1 named.run
08-Oct-2012 17:40:49.733 now using logging configuration from config file
#
# grep "^08-Oct-2012" named.run | grep -c "165\.127\.10\.50"
12245
# grep "^09-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48200
# grep "^10-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48198
# grep "^11-Oct-2012" named.run | grep -c "165\.127\.10\.50"
47737
# grep "^12-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48345
# grep "^13-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48810
# grep "^14-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48385
# grep "^15-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48429
# grep "^16-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48768
Thus far today :
# grep "^17-Oct-2012" named.run | grep -c "165\.127\.10\.50"
37279
Queries show up in bunches, while the average is every 1.7 secs I see dozens of queries all arrive nearly at the same time, then a ten second pause, then again another burst.
Makes no sense to me what is going on there.
Dennis
More information about the bind-users
mailing list