Reverse lookup flood from a single host

Kevin Oberman kob6558 at gmail.com
Fri Jul 15 20:16:06 UTC 2011 

On Jul 15, 2011 12:36 PM, "Joshua Beard" <josh at hewbert.com> wrote:
>
> Greetings,
>
> I've noticed a specific client machine doing a crap load of reverse
lookups in my named logs.  It's just reverse lookups for our internal
network, and just from that machine.  I can't see that this machine is
looking up anything else, actually.  Here's an example:
> 11-Jul-2011 08:11:00.997 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 99.115.30.172.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:01.116 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 75.241.40.208.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:01.392 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 1.162.30.172.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:01.393 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 150.160.30.172.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:01.590 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 25.96.30.172.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:01.680 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 2.130.30.172.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 40.207.115.66.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 22.114.30.172.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:02.588 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 55.98.30.172.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:02.785 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 179.112.30.172.in-addr.arpa IN PTR +
(172.30.112.121)
> 11-Jul-2011 08:11:02.786 client 172.30.116.116#53: view
dsdk12.schoollocal: query: 105.248.250.17.in-addr.arpa IN PTR +
(172.30.112.121)
>
> It appears to be non-stop.  Middle of the night and through the day.  I
don't have physical access to the machine at this time, so I can't
investigate too much.
>
> Is this abuse?  If so, is it likely intentional?

There are many apps that can generate the volume of queries you are seeing.
The query rate is really not that high.

My first guess is some sort of logging tool, but there are a great many
other possibilities.

R. Kevin Oberman, Network Engineer
Retired
kob6558 at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110715/d81cc3a9/attachment.html>

More information about the bind-users mailing list