This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ncc-services-wg] Re: [dns-wg] Analysis of Increased Query Load on Root Name Servers
- Previous message (by thread): [ncc-services-wg] Re: [dns-wg] Analysis of Increased Query Load on Root Name Servers
- Next message (by thread): [ncc-services-wg] Re: [dns-wg] Analysis of Increased Query Load on Root Name Servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Emile Aben
emile.aben at ripe.net
Tue Jul 12 09:20:51 CEST 2011
On 12/07/2011 02:41, Doug Barton wrote: > On 07/11/2011 07:02, Mirjam Kuehne wrote: >> [apologies for duplicates] >> >> Dear colleagues, >> >> We did some more analysis of the recent increase in query load on K-root >> and other root name servers. Please read on RIPE Labs: >> >> http://labs.ripe.net/Members/wnagele/analysis-of-increased-query-load-on-root-name-servers > > This analysis is interesting from the traffic standpoint, but doesn't > seem to answer one of the questions that I had, which is what caused the > sudden increase? Historically this kind of thing has happened in the > case of a misconfiguration for the name service for a popular domain, > but (unless I missed it, and if so apologies) the question of, "Was > <domain> misconfigured?" isn't answered in this paper. Hi Doug, We don't have all the answers, but it appears not to be related to a misconfigured zone, the zone looked (and still looks) like this: <domain>.com. 7200 IN SOA ns1.<nsdomain>. root.ns1.<domain>.com. 20091027 28800 600 604800 86400 <domain>.com. 300 IN A <ipv4_1> <domain>.com. 300 IN A <ipv4_2> <domain>.com. 7200 IN NS ns1.<nsdomain>. <domain>.com. 7200 IN NS ns2.<nsdomain>. <domain>.com. 7200 IN NS ns3.<nsdomain>. <domain>.com. 7200 IN NS ns4.<nsdomain>. www.<domain>.com. 300 IN A <ipv4_1> www.<domain>.com. 300 IN A <ipv4_2> <domain>.com. 7200 IN SOA ns1.<nsdomain>. root.ns1.<domain>.com. 20091027 28800 600 604800 86400 As mentioned in the article, we have several indications that this was caused by a botnet. It is unlikely this was a reflector attack with spoofed source addresses, as there are some 60,000 unique source IPs per hour in the queries for this specific domain. For targeted spoofing I'd would expect this number to be very low, for random spoofing I'd expect this number would be far higher. If you have any clue or indication on things we could further investigate, let us know, here or on RIPE Labs. best regards, Emile Aben RIPE NCC
- Previous message (by thread): [ncc-services-wg] Re: [dns-wg] Analysis of Increased Query Load on Root Name Servers
- Next message (by thread): [ncc-services-wg] Re: [dns-wg] Analysis of Increased Query Load on Root Name Servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]