Re: [dns-operations] Resolvers seeing repeated bursts of identical queries

Joe Abley Mon, 09 Jan 2023 05:49:43 -0800

Hey,

On Mon, Jan 9, 2023 at 03:50, <[email protected]> wrote:


> Example of (part of) query burst - in this case the client sends
> bursts of 84 queries within less than 1 ms:
>
> 09:24:56.593259 IP 194.19.79.131.58089 > 193.75.75.193.53: 24781+ A? 
> www.jointraining.com. (38)
> 09:24:56.593283 IP 194.19.79.131.38426 > 193.75.75.193.53: 24781+ A? 
> www.jointraining.com. (38)
> 09:24:56.593307 IP 194.19.79.131.56931 > 193.75.75.193.53: 24781+ A? 
> www.jointraining.com. (38)
> 09:24:56.593346 IP 194.19.79.131.42976 > 193.75.75.193.53: 24781+ A? 
> www.jointraining.com. (38)
> 09:24:56.593350 IP 194.19.79.131.11638 > 193.75.75.193.53: 24781+ A? 
> www.jointraining.com. (38)
> 09:24:56.593366 IP 194.19.79.131.22476 > 193.75.75.193.53: 24781+ A? 
> www.jointraining.com. (38)
> ...
> 09:24:56.594364 IP 194.19.79.131.41548 > 193.75.75.193.53: 24781+ A? 
> www.jointraining.com. (38)

Have you looked at the IP TTL within each of these bursts?

A random distributionmight suggest a dispersed set of sources (or ALGs or NATs 
or something). Patterns might give other clues.

Joe

>

_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Resolvers seeing repeated bursts of identical queries

Reply via email to