[unisog] odd traffic on udp 53 (variation on thread)
nelson at clunix.cl.msu.edu
Tue Oct 21 11:11:40 GMT 2003
Clarke Morledge writes:
> I don't think I've got the same thing going on udp port 53, but I am
> seeing some awfully weird stuff with DNS.
> We are seeing huge spikes of DNS queries from our official campus DNS
> servers querying other DNS servers upstream. From several hundred DNS
> queries every 10 to 30 minutes or so to around 10,000 or more during the
> same time period. The sheer quantity bothers me. These DNS storms last
> about an hour before they die off.
> But the most annoying part is that they are DoS'ing my PIX firewall. The
> huge surge of UDP "connections" burns up all of the resources on the PIX
> -- pegging the CPU (running PIX version 6.3).
> Is anybody seeing anything like this?
I did catch something similar a week or two ago. My normal DNS traffic
numbers are about an order of magnitude higher, and so was the spike in
>From what I could tell, the DNS storm was actually a DoS by my own users.
The remote domain name escapes me now, but the domain became unreachable
for a while. The specific names being requested all had short TTL's
(5 minutes, I believe), and had expired from the local cache. I'm guessing
that the primary name server for the domain had become unreachable or
unresponsive, and all the secondaries dropped the domain after a while
(perhaps an excessively short SOA expires value - I didn't think to check
that). In any case, my local users kept pounding on my DNS with queries
for the domain, likely from an attempt to refresh active screen content
of some sort. The net effect, though, was a flood of traffic to/from
my servers, using 90%+ of my CPUs for about half an hour.
If I catch that one again, I'll post the domain - perhaps it's the same
domain that affected your servers.
Doug Nelson nelson at msu.edu
Network Manager Ph: (517) 353-2980
Computer Laboratory http://www.msu.edu/~nelson/
Michigan State University
More information about the unisog