First page Back Continue Last page Overview Text

Notes:


As you can see the source IP 216.91.223.97 issues the same query to each of our DNS servers. Specifically, it is looking for the Start of Authority record or records associated with the .com domain in the first three queries.

First, there it is suspicious that our DNS servers are being asked to resolve this query – we are not the authoritative server for the .com, nor our we the authoritative server for the .net as we will witness in later queries. So, it appears we are either a target or we are being used to answer these queries. Next, look at the size of the query versus the size of the response. The first SOA query for .com requires only 21 bytes of payload, yet the asymmetric response generates 508 payload bytes in response. Our DNS servers must give the SOA record, which is not very large, but they must reference all the root server records for authority records and additional records – that is where the big byte count comes in. We see this later when the querier issues the SOA query for the .net as well.

While our DNS servers had to respond to these queries, it is suspected that they were able to keep up with the traffic especially since they would cache the results. These same SOA queries were repeated many times. Why SOA queries? It probably really didn’t matter the query, it appears that the deal was to get as large a response as the 512 bytes of maximum payload would allow.