Re: BIND scan from

From: Mike Arnold (MKArnoldat_private)
Date: Fri Aug 16 2002 - 18:30:34 PDT

  • Next message: Richard Gilman: "RE: Increased IIS scans mainly on - Update"

    On Friday 16 Aug 2002 5:31 pm, you wrote:
    > I have seen them scan for misconfigured TP servers all the time .. and I
    > block that on all of my firewalls, I think we all know when they add a new
    > subnet, we get scanned and add it to our list of Wanadoo .. but what I'm
    > saying is that this is the first time I see them originate high port and
    > scan the destination port 53 .. that is what is new.
    I'm consistently getting scans of this nature from various subnets around the 
    world. Not traced them back to source since they appeared to be just "noise". 
    However, they always come on the back of a DNS cache lookup, much like the 
    "speedera pings" that attempt to route you through to the fastest DNS server. 
    Not looked into any deeper than that. I have traced the odd one back to a 
    subnet in Asia (I think), but not carried out a scientific analysis. I have 
    the logs to go back through at some stage to see if they are consistently 
    coming from the same region. A big yippee for SamSpade, makes life so much 
    Only other thing that appears consistent is that they come in clumps. Never a 
    solitary scan, always about 6 from various IPs on different subnets. Often 
    they come as a clump of pings from 6 addresses followed by a clump of DNS 
    scans from the same IPs. Couldn't explain it, but had other things to worry 
    about so I never looked any deeper. Things are quietening off so I may do 
    some studies of them.
    On a 2 hour re-connect dialup (yeah, I'm one of those that can't yet get 
    broadband *sigh*) I've had almost 900 of these in the last month - 2 weeks of 
    which the firewall was turned off due to holidays. Prior to that I hadn't got 
    a DNS cache so I couldn't say.
    Hope that helps.
     "In their capacity as a tool, computers will be but a ripple on the 
       surface of our culture. In their capacity as intellectual challenge, 
       they are without precedent in the cultural history of mankind." 
    	Edsger Wybe Dijkstra on Computers
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:42:21 PDT