I recently noticed a bunch of DNS requests hitting my WAN IP (where I don't run a DNS server). They're sustained, from a fairly small set of source IPs. The queries are weird: The "Question" is for <Root> (a single 00
byte), and have an "Additional record" of type OPT, also with name <Root>. Is this part of an attack against some recent CVE? Is it worth reporting these sorts of things to the abuse contact in WHOIS for the IP?
22:30:06.406020 IP (tos 0x0, ttl 240, id 43779, offset 0, flags [none], proto UDP (17), length 56) 169.55.119.4.43136 > xxx.xxx.xxx.xxx.53: [udp sum ok] 22510+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:12.415737 IP (tos 0x0, ttl 240, id 43789, offset 0, flags [none], proto UDP (17), length 56) 169.55.119.4.35237 > xxx.xxx.xxx.xxx.53: [udp sum ok] 12216+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:23.110057 IP (tos 0x0, ttl 240, id 15394, offset 0, flags [none], proto UDP (17), length 56) 198.23.119.36.2532 > xxx.xxx.xxx.xxx.53: [udp sum ok] 37476+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:29.129976 IP (tos 0x0, ttl 240, id 15402, offset 0, flags [none], proto UDP (17), length 56) 198.23.119.36.45860 > xxx.xxx.xxx.xxx.53: [udp sum ok] 31860+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:35.139692 IP (tos 0x0, ttl 240, id 15410, offset 0, flags [none], proto UDP (17), length 56) 198.23.119.36.16678 > xxx.xxx.xxx.xxx.53: [udp sum ok] 13519+ [1au] A? . ar: . OPT UDPsize=1280 (28) 22:30:45.435683 IP (tos 0x0, ttl 240, id 43833, offset 0, flags [none], proto UDP (17), length 56) 169.55.119.4.44565 > xxx.xxx.xxx.xxx.53: [udp sum ok] 14516+ [1au] A? . ar: . OPT UDPsize=1280 (28)
In case anyone is curious here's a redacted (-
) hexdump of one of the packets: -- -- -- -- -- -- -- -- -- -- -- -- 08 00 45 00 00 38 a8 81 00 00 f0 11 12 df a9 37 77 04 -- -- -- -- 40 cd 00 35 00 24 59 f9 4d 2b 01 00 00 01 00 00 00 00 00 01 00 00 01 00 01 00 00 29 05 00 00 00 00 00 00 00
No comments:
Post a Comment