.
Neeed Geeeeeks.... (and sleep) - Grin with cat attached — LiveJournal
Previous Entry Next Entry
Neeed Geeeeeks.... (and sleep) Jul. 27th, 2004 10:06 am
For reasons I've yet to fully figure out, the network throughput on my personal primary server suddenly jumped 8fold this morning.

I'm fiddling through a few tricks to try and work out why, but I'm completely zoned out today. Does anyone have any suggestions on how to figure out the source / port / app causing this leap?

Upd
According to tethereal, the traffic is almost entirely comprised of DNS AAAA requests for ns.dnseu.com ns3.dnseu.com ns2.dnseu.com (which have bugger-all to do with me) from:
heifong:/home2/wechsler# host 12.170.116.67
Name: pita67.mercurylink.net
Address: 12.170.116.67

heifong:/home2/wechsler# host 12.170.116.66
Name: pita66.mercurylink.net
Address: 12.170.116.66

heifong:/home2/wechsler# host 12.166.51.68
12.166.51.68 PTR record not found, server failure
Tags:

From: deborah_c
Date: July 27th, 2004 - 10:16 am (Link)
For addresses with no reverse DNS, "whois" will generally give you a clue as to who it belongs to:

$ whois 12.166.51.68
[...]
MERCURYLINK ONLINE MERCURYL15-51 (NET-12-166-51-0-1)
12.166.51.0 - 12.166.51.255

So, all three machines are in the same place. I can't think of any legitimate reason to have DNS query traffic at that sort of rate; is there any chance that you've annoyed someone who's trying to DoS you?
From: wechsler
Date: July 27th, 2004 - 10:46 am (Link)
I've been online for 10 years, I'm sure I've annoyed *someone* ;) However I can't think of anything I've done recently that would have had a significant effect.
(no subject) - (Anonymous)
From: wechsler
Date: July 27th, 2004 - 10:47 am (Link)
Updated bind, stuck in
allow-query { !12.166.51/24; !12.170.116/24; 0.0.0.0/0; },
restarted the service.

Something in that lot stopped the flood.
From: deborah_c
Date: July 27th, 2004 - 11:04 am (Link)
Glad it went away. btw, the sources you quoted *are* {ns1,ns2,ns3}.dnseu.com, so they're querying you to find out their own addresses... Sounds like misconfiguration on someone's part at the other end; I should try to be a little more awake before posting :)