DDoS pointed at dsli.com / 209.203.214.{10,40} ?

[Glenn Forbes Fleming Larratt <glratt () io com>]

We were portscanned for open telnets by host 209.44.98.181 a week ago
(or by someoning masquerading as same). Following our SOP, we sent
a nasty note and blocked traffic from their /24.

Ever since, however, we've noted our nameservers trying like hell to
resolve 'user181.209.44.98.dsli.com' in the DNS; some investigation
via ethereal showed that numerous hosts in our network were making
these repetitive requests. The nameservers for dsli.com, 209.203.214.{10,40},
are either completely swamped or turned off in self-defense.

Is this a known DDoS? Is there a known technique that I've completely
missed? I either have a network full of nodes responding to some
traffic I'm not seeing, or I have a network full of zombies of (so far)
many different UNIX variants.

Any info gratefully received,

        -g

-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com