I'm seeing a lot of DNS lookups for all the three letter domain names
for which we are listed as authoritative (we have five).
The requests look like this:
req: nlookup(foo.com) id 64450 type=255 class=255
188.8.131.52.domain > myserver.domain: 31881+ ANY ANY? foo.com. (25)
4500 0035 1e38 0000 ed11 e20a d464 e811
c7f5 4909 0035 0035 0021 0000 7c89 0100
0001 0000 0000 0000 0365 6f73 0363 6f6d
0000 ff00 ff
We get about 400 requests per minute, per "attacking" machine,
per authoritative name server, per domain.
This happened on July 25 with these two sources:
and today, August 25, with this source:
Clearly, this is not a problem right now. But if the
number of attacking machines grows, then any machine that
serves many three-letter domain names might notice.
And who knows, maybe the cretins will get creative and move
to four letter domains!
P.S. I mentioned the two dates above (7/25, 8/25) purely for
entertainment purposes. Consistent with the NY Times
article last weekend about putting too much weight in
events that are merely coincidences, I don't mean to imply
that there is a "25th of the month" conspiracy afoot.