Unusual activity

[Simon Waters]

Simon Matthews wrote:
> 
> In scanning my logfiles for keywords, I came across some unusual activity.
> Now this may just be a coincidence, but since I have nver seen this
> before, it does look strange. Is someone trying a DDOS attack on my
> server, or is it to do with an old vunerability ("infoleak")?
> 
> What is interesting is how these are so closely grouped in time and the
> fact that I have never seen them before (and I configured BIND not to
> allow recursion from external sites some months back).
> 
> Also, who needs to look up "."?

Arguably everyone, but specifically name servers, although these
IPs aren't offering recursion as far as I can tell.

> Anyone care to comment?

Most of them look to be name servers belonging to
netli/verio/Kwest, and/or involved in network performance
measurement

It could be an attempt at DDoS, but someone is getting very
ambitious in their targets if it is, I think more likely someone
at these sites listed you as a root server in some context.

Another possibility is that someone is scanning and trying to
cover their tracks (i.e. one is genuine and the rest are fake),
but most scanners just use random IP addresses if they do that,
not just the IPs of name servers from one or two companies.

Never put down to conspiracy, what can adequately be explained
by incompetence (or typos!).