From owner-freebsd-questions Tue Jun 6 12:41:47 2000 Delivered-To: freebsd-questions@freebsd.org Received: from horst.bfd.com (horst.bfd.com [12.9.219.10]) by hub.freebsd.org (Postfix) with ESMTP id 68BB737BA93 for ; Tue, 6 Jun 2000 12:41:41 -0700 (PDT) (envelope-from ejs@bfd.com) Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14]) by horst.bfd.com (8.10.0/8.10.0) with ESMTP id e56Jfbb28804; Tue, 6 Jun 2000 12:41:37 -0700 (PDT) Date: Tue, 6 Jun 2000 12:41:37 -0700 (PDT) From: "Eric J. Schwertfeger" To: first name Cc: freebsd-questions@FreeBSD.ORG Subject: Re: DNS DOS attack? Probably not.... In-Reply-To: <20000606190749.7705.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 6 Jun 2000, first name wrote: > > I run a DNS server for a small ISP. In the middle of the night, our DNS > server gets repeated requests for lookups from a small number of users. One > user might generate 100 to 150 DNS requests each minute. Others might send > 50 to 75 requests per minute. > > There is a core group that does this every night. And an equal number of > people send the repeated DNS requests off and on. Most are forward lookups, > but about 25% are reverse lookups. > > Any idea what the hell they are doing? DOS? Cracking? Trying to keep the > connection nailed up? Why would any program need to do 100 DNS lookups in a > minute? Could I have set up something wrong? Can't imagine what. > > Thanks for any ideas or information. There's a batch program for analog that fills in RDNS info in web server logs, though that doesn't explain the forward lookups. Maybe they're flushing sendmail queues. No one thing answers all the questions, it may be a combination of things done from a nightly cron job, or it might be something I haven't seen yet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message