On 07/12/2011 00:20, Emile Aben wrote:
We don't have all the answers, but it appears not to be related to a misconfigured zone
Thank you for satisfying my idle curiosity. :) I did not mean to imply that your report was in any way deficient at describing what you think the problem was actually caused by. My curiosity about this particular issue was raised for 2 reasons, one being (as I said previously) history of previous incidents. The other is given that if this were a DDOS attempt it's a rather weak one (on several levels) I can't help finding that unlikely. (Which again, is not a criticism of your analysis, merely a disturbing lack of pieces falling neatly into previously-known patterns.) I did note this from your scrubbed zone file: <domain>.com. 7200 IN NS ns1.<nsdomain>. <domain>.com. 7200 IN NS ns2.<nsdomain>. <domain>.com. 7200 IN NS ns3.<nsdomain>. <domain>.com. 7200 IN NS ns4.<nsdomain>. Are we to conclude from that that <nsdomain> is different from <domain>.com? If so, and <nsdomain> is misconfigured somehow, that would start to look more like misconfiguration patterns that we've seen in the past; particularly if <nsdomain> is not in COM, and therefore the COM zone has no glue for those hostnames. I also note that 2 hours seems to be a ridiculously short TTL for NS records, which would seem to put a little more weight on the "possible misconfiguration" side of the balance. One could imagine a moderately popular game site receiving the CN equivalent of being slashdotted, and previously-painless minor misconfigurations suddenly causing much larger problems. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/