Try to block the traffic from 207.210.68.202. It looks like some kind
of webhosting company.
Try send a mail to
OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-404-230-9150
OrgAbuseEmail: abuse@gnax.net
And let them know that one of there machines are giving out some
random request.
OrgName: Global Net Access, LLC
OrgID: GNAL-2
Address: 55 Marietta St, NW
Address: Suite 1720
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US
ReferralServer: rwhois://rwhois.gnax.net:4321
NetRange: 207.210.64.0 - 207.210.127.255
CIDR: 207.210.64.0/18
NetName: GNAXNET
NetHandle: NET-207-210-64-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
Comment:
RegDate: 2005-04-12
Updated: 2006-01-09
OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-404-230-9150
OrgAbuseEmail: abuse@gnax.net
OrgTechHandle: ENGIN7-ARIN
OrgTechName: Engineering
OrgTechPhone: +1-404-230-9150
OrgTechEmail: engineering@gnax.net
You could also redirect the traffic to some machine if you want to
perform further analysis .
./thanks
ilaiy
On 1/18/06, Brian Collins <listbc@newnanutilities.org> wrote:
Good day folks. This morning an admin asked us to check on a large amount
of traffic targeting several DNS servers in our network (both our own DNS
servers and customer co-located DNS servers). In looking at the traffic I
see that the source is making several queries a second for DNS root. I have
included a small sample from tcpdump below. Not sure what the motive is
here. The TTLs are all 235. The random source ports makes me think
possibly spoofed traffic. I can put packet dumps up on a website in libpcap
format if anyone is interested. They are still going on as I type this.
Thanks for any insight you can lend.
08:44:31.681706 IP 207.210.68.202.18257 > 216.130.152.71.53: 7127+ [1au]
ANY ANY? . (28)
08:44:31.935719 IP 207.210.68.202.17460 > 216.130.152.71.53: 16133+ [1au]
ANY ANY? . (28)
08:44:32.191226 IP 207.210.68.202.11958 > 216.130.152.71.53: 24095+ [1au]
ANY ANY? . (28)
08:44:32.453721 IP 207.210.68.202.30962 > 216.130.152.71.53: 28728+ [1au]
ANY ANY? . (28)
08:44:32.965355 IP 207.210.68.202.30683 > 216.130.152.71.53: 12271+ [1au]
ANY ANY? . (28)
08:44:33.468862 IP 207.210.68.202.9966 > 216.130.152.71.53: 28170+ [1au]
ANY ANY? . (28)
08:44:33.720408 IP 207.210.68.202.9920 > 216.130.152.71.53: 28160+ [1au]
ANY ANY? . (28)
08:44:33.976693 IP 207.210.68.202.22511 > 216.130.152.71.53: 9346+ [1au]
ANY ANY? . (28)
08:44:34.233664 IP 207.210.68.202.20625 > 216.130.152.71.53: 18580+ [1au]
ANY ANY? . (28)
08:44:34.495015 IP 207.210.68.202.7023 > 216.130.152.71.53: 7968+ [1au] ANY
ANY? . (28)
08:44:34.742492 IP 207.210.68.202.6257 > 216.130.152.71.53: 11859+ [1au]
ANY ANY? . (28)
08:44:35.001415 IP 207.210.68.202.25244 > 216.130.152.71.53: 5372+ [1au]
ANY ANY? . (28)
08:44:35.257812 IP 207.210.68.202.17576 > 216.130.152.71.53: 14270+ [1au]
ANY ANY? . (28)
08:44:35.778259 IP 207.210.68.202.3384 > 216.130.152.71.53: 1508+ [1au] ANY
ANY? . (28)
08:44:36.034492 IP 207.210.68.202.13754 > 216.130.152.71.53: 23670+ [1au]
ANY ANY? . (28)
08:44:36.290463 IP 207.210.68.202.11008 > 216.130.152.71.53: 8899+ [1au]
ANY ANY? . (28)
08:44:36.805271 IP 207.210.68.202.18348 > 216.130.152.71.53: 19806+ [1au]
ANY ANY? . (28)
08:44:37.061876 IP 207.210.68.202.19532 > 216.130.152.71.53: 31844+ [1au]
ANY ANY? . (28)
