We were portscanned for open telnets by host 209.44.98.181 a week ago
(or by someoning masquerading as same). Following our SOP, we sent
a nasty note and blocked traffic from their /24.
Ever since, however, we've noted our nameservers trying like hell to
resolve 'user181.209.44.98.dsli.com' in the DNS; some investigation
via ethereal showed that numerous hosts in our network were making
these repetitive requests. The nameservers for dsli.com, 209.203.214.{10,40},
are either completely swamped or turned off in self-defense.
Is this a known DDoS? Is there a known technique that I've completely
missed? I either have a network full of nodes responding to some
traffic I'm not seeing, or I have a network full of zombies of (so far)
many different UNIX variants.
Any info gratefully received,
-g
--
Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-)
glrattat_private http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 30 2001 - 08:39:05 PDT