Re: Attempted DNS queries.

[Alfred Huger <ah () SECURITYFOCUS COM>]

> > .........
> > This goes on. I've been able to to identify at least nine unique hosts which
> > attempted these queries: 167.8.29.52, 206.251.19.88, 209.67.29.8, 216.33.87.8,
> > 216.33.87.10, 63.209.29.136, 208.185.109.155, 167.8.29.91 and 64.14.77.2.
> > Results of the portscan against these hosts can be found at:
> > http://192.117.130.34/Fendor/bind-scan-results
> > Any ideas as to the nature of these queries and the strange pattern which
> > these hosts exhibit?
>
> You're being used by kiddies to DOS other kiddies (at least, they try to
> use you). The trick here is they send your nameserver a query from a
> spoofed address (the address of the victim) asking for the "." zone. So
> with a small question they send a large answer to the victim. See
> ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos
>
> The offending hosts in your case are the victims of the DOS attacks.

I would think rather that these are F5/BigIP boxes for which this is known
behaviour. In particular if they are runnint https and ssh. Also see:

http://www.securityfocus.com/archive/75/165260



VP Engineering
SecurityFocus.com
"Vae Victis"