On Tue, 16 Apr 2002, LAVELLE,MICHAEL (HP-PaloAlto,ex1) wrote: > I recently started seeing strange UDP traffic to my home DSL, which is > included below. It has been active for the last 4 days at all hours. None of > these IPs are DNS servers that I use, and much of the activity is when all > of my computers are off. What do you mean when your computers are off? I assume X.X.55.121 is one of yours? That machines that belongs to that IP address is off when this traffic is being logged? > > Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53) > -> X.X.55.121(1067), 4 packets > Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53) > -> X.X.55.121(1067), 4 packets Those first two (all I checked) are root DNS servers. This makes it look exactly like you've got a copy of bind running on X.X.55.121, and it's just trying to resolve names. However, if that machine is supposed to be off... Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 11:19:29 PDT