Re: [44net] anyone seeing these?

My guess might be these are part of some larger DNS reflection attack. I cannot speak why they'd be coming in to you, but UDP is unfriendly in that it allows an attacker to pretend to be someone, ask for a DNS response, and real DNS servers will send the traffic to their victim. This is potentially why you're seeing various commercial/44 net IPs, is that these are open (publicly facing) recursive DNS resolvers, that may be being abused by an attacker. So, if any of those 44 net IPs do turn out to be open recursive resolvers, best practice is to not have those face the internet, but just your intranet only. DNS reflection/amplification attacks, as well as their NTP based brethren have unfortunately been picking up steam of late, and have been wreaking havoc all over the internet. Let's avoid helping them out by keeping NTP and DNS services internal only unless really necessary. Nigel K7NVH