Security Incidents mailing list archives
Re: Named "Response from unexpected source"
From: techs () OBFUSCATION ORG (Erik Fichtner)
Date: Mon, 7 Feb 2000 23:17:41 -0500
On Mon, Feb 07, 2000 at 06:36:16PM +0200, Alexandru Popa wrote:
What are these: Feb 4 16:58:16 ns named[233]: Response from unexpected source ([194.102.116.7].61003) Feb 4 16:58:20 ns named[233]: Response from unexpected source ([194.102.93.174].61124) Feb 5 00:20:19 ns named[233]: Response from unexpected source ([194.102.93.174].62927) Feb 7 09:07:39 ns named[244]: Response from unexpected source ([208.147.88.9].53) Feb 7 18:29:47 ns named[236]: Response from unexpected source ([200.242.80.1].53) Sorry, I haven't got the packets
I've seen that behavior from misconfigured systems that have an ip alias on an interface for the nameserver, yet fail to explicitly state in the configuration file to use that address as the source address, and thus, the response packets often get crafted with the "real address" of the computer, instead of the ip alias. ...much to the confusion of the other nameservers... Of course, it could easily be something else entirely. -- Erik Fichtner; Warrior SysAdmin (emf|techs) 34.9908% http://www.obfuscation.org/~techs N 38 53.055' W 77 21.860' 764 ft. "What's the most effective Windows NT remote management tool?" "A car." -- Stephen Northcutt
Current thread:
- stealth scans on old legacy firewalls. Larry W. Cashdollar (Feb 04)
- Re: stealth scans on old legacy firewalls. Leonid Igolnik - LiM (Feb 05)
- Re: stealth scans on old legacy firewalls. SecOrg (Feb 05)
- Named "Response from unexpected source" Alexandru Popa (Feb 07)
- Re: Named "Response from unexpected source" Erik Fichtner (Feb 07)
- Re: Named "Response from unexpected source" Greg Woods (Feb 08)
- echo requests, 1480 bytes thomas lakofski (Feb 08)