Very large scale named Iquery scan?

[Tom Whipp <twhipp () COMMERCENTI COM>]

just thought I'd share the following, a number of hosts on my network have
received Iqueries from a single source - these queries are very widely
spaced (about one every 4 days) and the target hosts are being probed
sequentially.

The precise periodicity and sequential nature of these probes seems to
indicate that this is part of an ongoing scan which has been running for at
least 1 month (and by the IP numbers I'd guess closer to 2 months).

I don't think I have a complete trace as we have only just moved our IDS
onto a dedicated host and so the gaps in my early detects can probably be
accounted to dropped packets on an overloaded host - certainly the
increments in IP addresses indicate that the gaps in the early detects is
due to missed detects not a change in scan rate.

The source IP is 211.50.136.189 with the detects by a Snort sensor matching
the [IDS277 - NAMED Iquery Probe] rule.

sample packet payloads are:

2000-11-15 05:01:12
000 : 4E 2F 09 80 00 00 00 01 00 00 00 00 00 00 01 00   N/..............
020 : 01 00 00 7A 69 00 04 04 03 02 01                  ...zi......

2000-11-11 12:55:05
000 : BE 3E 09 80 00 00 00 01 00 00 00 00 00 00 01 00   .>..............
020 : 01 00 00 7A 69 00 04 04 03 02 01                  ...zi......

This appears to be an IP belonging to a Korean ISP but as the definiative
whois server is in Korean I haven't followed this up much.

The scan sequence is:

2000-11-15 05:01:12 target xxx.xxx.xxx.17
2000-11-11 12:55:05 target xxx.xxx.xxx.16
2000-11-07 21:24:11 target xxx.xxx.xxx.15

2000-10-31 10:47:04 target xxx.xxx.xxx.13
2000-10-27 13:55:31 target xxx.xxx.xxx.12
2000-10-23 18:02:53 target xxx.xxx.xxx.11
2000-10-19 22:35:17 target xxx.xxx.xxx.10 (real DNS server found, followed
immediately with a DNS version query)

2000-10-04 16:37:40 target xxx.xxx.xxx.6
2000-09-30 23:35:18 target xxx.xxx.xxx.5

just curious if anyone else is seeing this guy.

        Tom