Re: New DNS connection with SYN ACK

From: Nick Drage (nickdat_private)
Date: Mon Jan 14 2002 - 05:00:56 PST

  • Next message: Turner, Keith: "RE: Matt Wright FormMail Attacks"

    On Fri, Jan 11, 2002 at 07:47:17PM +0100, Richard Arends wrote:
    > On 11 Jan 2002, Jerry Perser wrote:
    > 
    > > Here are the 19 ip addresses:
    > >
    > > 128.121.10.146 128.242.105.34
    > > 	129.250.244.10 193.148.15.128 194.205.125.26 194.213.64.150
    > > 	202.139.133.129 203.194.166.182 203.81.45.254 216.220.39.42
    > > 216.33.35.214
    > > 	216.34.68.2 216.35.167.58 62.23.80.2 62.26.119.34
    > > 	64.14.200.154 64.37.200.46 64.56.174.186 64.78.235.14
    > 
    > I'm getting scans for port 53 from the same ip's !
    > and tracking system please see: http://aris.securityfocus.com
    
    Apologies for adding another "me too", but there's a thread in
    comp.security.firewalls, subject "Misconfigured DNS, firewall too tight
    or (spoofed?) attack?", discussing the same thing.
    
    I'd be interested to know what is causing this traffic, my guess in that
    Usenet thread was that the person receiving these packets was a fake
    source for DNS scanning - but that is, of course, wrong.
    
    -- 
    Nick Drage - Security Architecture - Demon Internet
    "A lonely voice
     Echoing through the wilderness
     Request Timed Out"
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 10:02:39 PST