Security Incidents mailing list archives
Re: DNS UDP Dos Attack?
From: Wlodek <wlodek () INFOSERVE NET>
Date: Fri, 2 Mar 2001 15:32:50 -0800
I have similar situation but from different hosts and different ports In my case I consider this as DoS form two networks running win New Technology I even contacted the rep. of the companies but they laugh in my face. all these are from Canadian UUNet network Or maybe I'm bit parano.... regards wlodek here from my logs 02:14 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.43 port 138 to 209.53.203.255 port 138 Feb 21 12:02:27 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.22 port 137 to 209.53.200.255 port 137 Feb 21 12:02:27 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.33 port 137 to 209.53.200.255 port 137 Feb 21 12:02:27 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.33 port 137 to 209.53.200.255 port 137 Feb 21 12:02:27 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.22 port 137 to 209.53.200.255 port 137 Feb 21 12:02:28 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.22 port 137 to 209.53.200.255 port 137 Feb 21 12:02:28 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.33 port 137 to 209.53.200.255 port 137 Feb 21 12:02:32 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.22 port 137 to 209.53.200.255 port 137 Feb 21 12:02:32 helium /kernel: drawbridge: UDP incoming port: from 209.53.200.33 port 137 to 209.53.200.255 port 137 eb 21 12:05:08 helium /kernel: drawbridge: UDP incoming port: from 209.53.201.254 port 138 to 209.53.207.255 port 138 Feb 21 12:05:09 helium /kernel: drawbridge: UDP incoming port: from 209.53.201.254 port 137 to 209.53.207.255 port 137 Feb 21 12:05:13 helium last message repeated 5 times Feb 21 12:05:13 helium /kernel: drawbridge: UDP incoming port: from 209.53.201.254 port 138 to 209.53.207.255 port 138 Feb 21 12:05:14 helium /kernel: drawbridge: UDP incoming port: from 209.53.201.254 port 137 to 209.53.207.255 port 137 Feb 21 12:05:15 helium last message repeated 3 times ----- Original Message ----- From: James Kelty <james () TUNA ORG> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, March 02, 2001 2:46 PM Subject: DNS UDP Dos Attack? Hello, I am receiving ton of attempted UDP connections to an internal host. Connecting to this host is stopped at my firewall, but my firewall is paying a stiff price. I have seen the available memory on my firewall go down my 1-2 Mbg per minute while it trys to block all this traffic. Has anyone seen systems trying to reach a DNS host via UDP to port 42326? Here is a snippet of log files. UDP out 209.10.34.23:8541 in 209.11.137.71:42326 idle 0:32:24 flags - UDP out 209.10.34.39:29277 in 209.11.137.71:42326 idle 0:33:26 flags - UDP out 207.235.38.3:28931 in 209.11.137.71:42326 idle 0:32:42 flags - UDP out 209.10.34.39:33373 in 209.11.137.71:42326 idle 0:33:38 flags D- UDP out 206.190.71.2:33812 in 209.11.137.71:42326 idle 0:33:49 flags D- UDP out 193.141.40.42:1437 in 209.11.137.71:42326 idle 0:35:19 flags - UDP out 63.91.4.4:12673 in 209.11.137.71:42326 idle 0:34:49 flags - Thanks for any help! -James
Current thread:
- DNS UDP Dos Attack? James Kelty (Mar 02)
- Re: DNS UDP Dos Attack? Wlodek (Mar 02)
- Re: DNS UDP Dos Attack? Aaron Schultz (Mar 03)
- FROM port 137 TO port 137 Bryan Bradsby (Mar 03)
- Re: DNS UDP Dos Attack? Gary Maltzen (Mar 04)
- Re: DNS UDP Dos Attack? Wlodek (Mar 02)