Possible DDoS?

Dennis Clarke dclarke at blastwave.org
Wed Oct 17 18:39:32 UTC 2012


> From time to time I notice a large number of queries like these to one 
> of my external dns servers:
> 
> 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * 
> ?
<snip>
> 
> Does this rise to the level of a DDoS attack?
> No NS record for this IP.
> I blackhole IPs that behave like this.
> Thanks
> 

I have the exact same problem with an ip inside State of Colorado General Government Computer subnet : 

    http://whois.arin.net/rest/org/SCGGC

Some server there has been pounding queries at me at a rate of 48,000+ a day : 

# head -1  named.run
08-Oct-2012 17:40:49.733 now using logging configuration from config file
# 
# grep "^08-Oct-2012" named.run | grep -c "165\.127\.10\.50"
12245
# grep "^09-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48200
# grep "^10-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48198
# grep "^11-Oct-2012" named.run | grep -c "165\.127\.10\.50"
47737
# grep "^12-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48345
# grep "^13-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48810
# grep "^14-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48385
# grep "^15-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48429
# grep "^16-Oct-2012" named.run | grep -c "165\.127\.10\.50"
48768

Thus far today : 

# grep "^17-Oct-2012" named.run | grep -c "165\.127\.10\.50"
37279

Queries show up in bunches, while the average is every 1.7 secs I see dozens of queries all arrive nearly at the same time, then a ten second pause, then again another burst. 

Makes no sense to me what is going on there. 

Dennis 








More information about the bind-users mailing list