Re: Probes from root servers

[John Kristoff <jtk () cymru com>]

On Thu, 16 Jul 2009 15:56:29 -0700
"Pederson, Krishna" <Pederson () covad com> wrote:

> One of our IP addresses is being probed by up to 8 of the 13 root dns
> servers every 15 seconds. I'm looking for input on how to contact the
> admins for the servers or perhaps a way to figure out if perhaps
> someone is spoofing the affected customer IP address, causing the
> root servers to send the following:

Hi Krishna,

You may want to make sure a second set of eyes confirms that these are
not real responses to real queries from 74.1.32.205. If you're certain
there are no outgoing queries that solicit these messages, how about
getting a peek inside those packets? If you can do that, you should
be able to get a better idea of what may be happening.

It is somewhat peculiar that the destination port is 1039 in the 3
flow records you've shown and that you're only seeing packets from 8 of
the 13 root addresses.  Its a clue, but inconclusive. It seems like it
might be legitimate traffic from a resolver that is not doing source
port randomization. Being that its only every 15 seconds that would seem
too slow for an attack against 74.1.32.205, poisoning or otherwise.
Could be backscatter.  I can't speak for the root ops, but I think they
would prefer you perform a bit more investigation if you can.

John