Reverse lookup flood from a single host
Chuck Swiger
cswiger at mac.com
Fri Jul 15 19:46:37 UTC 2011
On Jul 15, 2011, at 12:24 PM, Joshua Beard wrote:
> Greetings,
>
> I've noticed a specific client machine doing a crap load of reverse lookups in my named logs. It's just reverse lookups for our internal network, and just from that machine. I can't see that this machine is looking up anything else, actually. Here's an example:
> 11-Jul-2011 08:11:00.997 client 172.30.116.116#53: view dsdk12.schoollocal: query: 99.115.30.172.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:01.116 client 172.30.116.116#53: view dsdk12.schoollocal: query: 75.241.40.208.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:01.392 client 172.30.116.116#53: view dsdk12.schoollocal: query: 1.162.30.172.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:01.393 client 172.30.116.116#53: view dsdk12.schoollocal: query: 150.160.30.172.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:01.590 client 172.30.116.116#53: view dsdk12.schoollocal: query: 25.96.30.172.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:01.680 client 172.30.116.116#53: view dsdk12.schoollocal: query: 2.130.30.172.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view dsdk12.schoollocal: query: 40.207.115.66.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view dsdk12.schoollocal: query: 22.114.30.172.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:02.588 client 172.30.116.116#53: view dsdk12.schoollocal: query: 55.98.30.172.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:02.785 client 172.30.116.116#53: view dsdk12.schoollocal: query: 179.112.30.172.in-addr.arpa IN PTR + (172.30.112.121)
> 11-Jul-2011 08:11:02.786 client 172.30.116.116#53: view dsdk12.schoollocal: query: 105.248.250.17.in-addr.arpa IN PTR + (172.30.112.121)
>
> It appears to be non-stop. Middle of the night and through the day. I don't have physical access to the machine at this time, so I can't investigate too much.
>
> Is this abuse? If so, is it likely intentional?
Given that the client is using a RFC-1918 unrouteable IP, presumably it's local to your network.
The data you've shown is less than 10 queries per second; whether this is abusive depends on your policies, but it's not a high query rate. It wouldn't surprise me if a webserver log analysis program like analog/Unison/webalyzer or a virus/malware scanner would generate such traffic.
Regards,
--
-Chuck
More information about the bind-users
mailing list