>> tcp query flood for cctlds and sec.cctlds, could be others
>> being sent via popular open servers: goog, neustar, ...
>> O(100)qps or higher
>
> - What was the duration of the event (UTC time start and end)?
after a short break, it is ongoing
> - Any stats on the rtype(s)?
> - Any stats on the mix of qnames?
> * Repeated or distinct?
> * Extant, NODATA or NXDOMAIN?
i am just running dnstop from cli. admit to need to spend time on
better tooling. but hard to justify without some feeling that i would
be able to configure a significant defense given new data. i have a
many decade history of just waiting for net idiots to go away.
> - Any stats on the upstream client distribution?
big dns resolvers: goog, yandex, ... though today, it seems pretty
distributed
Sources Count % cum%
-------------------- --------- ------ ------
184.80.47.40 31158 0.5 0.5
212.16.184.205 22261 0.3 0.8
112.198.115.36 18408 0.3 1.1
2001:fd8:220::4 17941 0.3 1.4
123.176.0.20 16481 0.2 1.6
212.77.192.101 14925 0.2 1.8
78.100.2.13 14913 0.2 2.1
59.18.54.69 14632 0.2 2.3
...
> To elicit TCP requests from the public DNS providers the queries would
> likely have to first elicit truncated UDP replies (DNSKEY RRset, signed
> denial of existence, ...). Did you also observe the associated UDP
> traffic?
have not had the time to look.
randy
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
