nanog mailing list archives

Re: Malicious DNS request?

From: Gadi Evron <ge () linuxbox org>
Date: Thu, 12 May 2005 12:41:12 +0400


Joe Shen wrote:

Hi,

In past days I noticed the nxdomain statistics in
named.stats keeps increasing.( I run it every 5 min)

By tcpdump, it's found a remote computer keep asking
address for record like
999d38e693b9e6293b450.0existence.com,
60d38e693b9e6293b450.0be6c1xfa.net. 

is that a virus affacted computer? 

How could such request be filtered or minimize its
affaction on DNS server?


Either this is a DDoS (woohoo!! I used the forbidden word) or you are
seeing a botnet trying to connect and putting in some smoke-screen while
at it to try and poison dns-top.

I'd suggest dropping requests for domains you don't hold.

        Gadi.

Current thread:

Malicious DNS request? Joe Shen (May 12)
- Re: Malicious DNS request? Suresh Ramasubramanian (May 12)
- Re: Malicious DNS request? Gadi Evron (May 12)
  - Re: Malicious DNS request? Brad Knowles (May 12)
    - Re: Malicious DNS request? Valdis . Kletnieks (May 12)
    - Re: Malicious DNS request? Brad Knowles (May 12)
    - Message not available
    - Re: Malicious DNS request? Bill Stewart (May 15)
- <Possible follow-ups>
- Re: Malicious DNS request? Joe Shen (May 17)
  - Re: Malicious DNS request? Paul Vixie (May 17)
    - Network Mitigation Devices Kevin Billings (May 17)
    - Microsoft broke MTU discovery by last security pathces?? Alexei Roudnev (May 17)
    - Re: Microsoft broke MTU discovery by last security pathces?? Mike Tancsa (May 17)
- Re: Malicious DNS request? Joe Shen (May 17)

(Thread continues...)