Re: BIND scan from Wanadoo.fr

From: Mike Arnold (MKArnoldat_private)
Date: Fri Aug 16 2002 - 18:30:34 PDT

Next message: Richard Gilman: "RE: Increased IIS scans mainly on 66.0.0.0/8 - Update"

Previous message: daveat_private: "Re: sql 1433"
In reply to: Baribault, Gary: "Re: BIND scan from Wanadoo.fr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Friday 16 Aug 2002 5:31 pm, you wrote:
> I have seen them scan for misconfigured TP servers all the time .. and I
> block that on all of my firewalls, I think we all know when they add a new
> subnet, we get scanned and add it to our list of Wanadoo .. but what I'm
> saying is that this is the first time I see them originate high port and
> scan the destination port 53 .. that is what is new.

I'm consistently getting scans of this nature from various subnets around the 
world. Not traced them back to source since they appeared to be just "noise". 
However, they always come on the back of a DNS cache lookup, much like the 
"speedera pings" that attempt to route you through to the fastest DNS server. 
Not looked into any deeper than that. I have traced the odd one back to a 
subnet in Asia (I think), but not carried out a scientific analysis. I have 
the logs to go back through at some stage to see if they are consistently 
coming from the same region. A big yippee for SamSpade, makes life so much 
easier.

Only other thing that appears consistent is that they come in clumps. Never a 
solitary scan, always about 6 from various IPs on different subnets. Often 
they come as a clump of pings from 6 addresses followed by a clump of DNS 
scans from the same IPs. Couldn't explain it, but had other things to worry 
about so I never looked any deeper. Things are quietening off so I may do 
some studies of them.

On a 2 hour re-connect dialup (yeah, I'm one of those that can't yet get 
broadband *sigh*) I've had almost 900 of these in the last month - 2 weeks of 
which the firewall was turned off due to holidays. Prior to that I hadn't got 
a DNS cache so I couldn't say.

Hope that helps.

Mike

--
 "In their capacity as a tool, computers will be but a ripple on the 
   surface of our culture. In their capacity as intellectual challenge, 
   they are without precedent in the cultural history of mankind." 
	Edsger Wybe Dijkstra on Computers

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Richard Gilman: "RE: Increased IIS scans mainly on 66.0.0.0/8 - Update"
Previous message: daveat_private: "Re: sql 1433"
In reply to: Baribault, Gary: "Re: BIND scan from Wanadoo.fr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:42:21 PDT