[Wolves] OT: Odd DNS traffic to unused IP
Andy Smith
andy at strugglers.net
Sun May 15 02:34:11 UTC 2016
Hi Simon,
On Fri, May 13, 2016 at 11:44:51AM +0000, Simon Burke via Wolves wrote:
> For some reason we're getting a fairly constant stream of DNS
> traffic directed towards a unused IP.
Is it a valid DNS query, or do the packets just have a destination of udp/53?
It it lots of different source addresses, or only one?
If:
- they're real queries, and
- the answer to the queries is quite large, and
- the source address is the same, or only a small set of addresses
then I would be suspecting it to be a DNS reflection attack with one
of your IP addresses being mistakenly (perhaps due to typo or
similar error) being used as the open recursive resolver.
If it's not a valid DNS query then there probably isn't much you can
do about it since there is no guarantee that UDP traffic actually
comes from the IP address it says it does, and since it's already a
dead destination IP there is no protocol chat going on that can be
slowed down by you actually responding.
If it is a valid DNS query then I suppose there's some fringe
possibility that giving an answer will make it cache it and go away,
but probably not if it's already been happily blasting the same
query to something that never responds.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
More information about the Wolves
mailing list