For the past 5 days, we’ve been seeing a 20-25% bump in DNS QPS for random 5-10 minutes intervals that started back up this morning. It’s certainly not a pattern that we’re accustomed to seeing, so we classified this as a traffic anomaly and sent our Operations Team searching for answers on what the source of this might be.
Here’s the particulars of what we’re seeing:
- Source IPs are from IP prefixes originating from China Telecom and China Netcom address space.
- Source ports are randomized.
- DNS transaction ID is randomized.
- The queries follow delegation paths to our nameservers via customer domains. We do see queries for domains that we are not authoritative for, meaning that this is likely bogus traffic to real domains.
This has been noticed not only by us, but also by those on the Dns-operations list, NANOG and other related mailing lists.
Given that this has been noticed by other network operators but is such a huge amount of traffic, we’re surprised that the discussion about this has been relatively mute. Are others seeing this? What are you doing about it (if anything)? What do you think is behind it?
Tom Daly is a co-founder of Dyn, the world leader in Internet Performance Solutions that delivers traffic management, message management, and performance assurance. Follow on Twitter: @TomDalyNH and @Dyn.