On 12/07/2011 02:41, Doug Barton wrote:
On 07/11/2011 07:02, Mirjam Kuehne wrote:
[apologies for duplicates]
Dear colleagues,
We did some more analysis of the recent increase in query load on K-root and other root name servers. Please read on RIPE Labs:
http://labs.ripe.net/Members/wnagele/analysis-of-increased-query-load-on-roo...
This analysis is interesting from the traffic standpoint, but doesn't seem to answer one of the questions that I had, which is what caused the sudden increase? Historically this kind of thing has happened in the case of a misconfiguration for the name service for a popular domain, but (unless I missed it, and if so apologies) the question of, "Was <domain> misconfigured?" isn't answered in this paper.
Hi Doug, We don't have all the answers, but it appears not to be related to a misconfigured zone, the zone looked (and still looks) like this: <domain>.com. 7200 IN SOA ns1.<nsdomain>. root.ns1.<domain>.com. 20091027 28800 600 604800 86400 <domain>.com. 300 IN A <ipv4_1> <domain>.com. 300 IN A <ipv4_2> <domain>.com. 7200 IN NS ns1.<nsdomain>. <domain>.com. 7200 IN NS ns2.<nsdomain>. <domain>.com. 7200 IN NS ns3.<nsdomain>. <domain>.com. 7200 IN NS ns4.<nsdomain>. www.<domain>.com. 300 IN A <ipv4_1> www.<domain>.com. 300 IN A <ipv4_2> <domain>.com. 7200 IN SOA ns1.<nsdomain>. root.ns1.<domain>.com. 20091027 28800 600 604800 86400 As mentioned in the article, we have several indications that this was caused by a botnet. It is unlikely this was a reflector attack with spoofed source addresses, as there are some 60,000 unique source IPs per hour in the queries for this specific domain. For targeted spoofing I'd would expect this number to be very low, for random spoofing I'd expect this number would be far higher. If you have any clue or indication on things we could further investigate, let us know, here or on RIPE Labs. best regards, Emile Aben RIPE NCC