DNS traffic sourced from my address space to myself.

Mailman List Mirror (Read Only)
1

Howdy,

Recently I have been noticing a good amount of totally bogus DNS traffic coming in on my transit links via my own IP addresses (spoofed).

SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.145.161(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.74(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.70(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.57(0) -> x.x.145.235(0), 1 packet

There are multiple different instances of this traffic, the pattern seems to be:

-The source is always 'my own IPs' and obviously spoofed.
-It's DNS traffic
-The "source addresses" all seem to be randomly chosen from the same /23 as the destination address (they cycle through randomly).

Has anyone else noticed anything similar coming in on their transit links or am I just lucky?

Normally my iACL catches this but I've just been noticing more of it lately.

-Drew

2

Recently I have been noticing a good amount of totally bogus DNS traffic coming in on my transit links via my own IP addresses (spoofed).

SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.145.161(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.74(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.70(0) -> x.x.145.235(0), 1 packet
SLOT 2:Jul 2 11:26:02 EDT: %SEC-6-IPACCESSLOGP: list 119 permitted udp x.x.146.57(0) -> x.x.145.235(0), 1 packet

There are multiple different instances of this traffic, the pattern seems to be:

-The source is always 'my own IPs' and obviously spoofed.
-It's DNS traffic
-The "source addresses" all seem to be randomly chosen from the same /23 as the destination address (they cycle through randomly).

Has anyone else noticed anything similar coming in on their transit links or am I just lucky?

I posted the same thing June 16, 2010. Search for

If you can capture some of the traffic and see what the DNS requests are, that would let you see if its the same sort of issue I was seeing or something different.

3

Yeah... I've seen this type of behaviour w/ folks picking random source addresses
  from the IPv6 /32... Sure wish I could announce something smaller.

--bill