Security Incidents mailing list archives

Re: DNS Floods to personal firewalls

From: Thomas Roessler <roessler () does-not-exist org>
Date: Wed, 16 May 2001 11:28:53 +0200

On 2001-05-16 11:02:29 +0200, Thomas Roessler wrote:

The same characteristic also applies to the logs athttp://members.iinet.net.au/~paulhng/lrp/kernlog.txt which Davidposted, and which are 10 days old. (!)

Asking google for a randomly selected common IP address from thelist, I found<http://my.maceast.com/homevision-u-l/ace-l/linux-router-l/%2330765452>,where Nicolas Riendeau reports a similar scan which happened onApril 13, 2001.

Taking his log file entries ("MrShield") into account, the table ofattackers' IP addresses looks like this now:


140.239.176.162         keith   sobolev tifa    mrshield
165.121.70.75           keith
194.205.125.26          keith   sobolev tifa    mrshield
194.213.64.150          keith   sobolev tifa    mrshield
202.139.133.129         keith   sobolev tifa    mrshield
203.194.166.182         keith   sobolev tifa    mrshield
203.208.128.70          keith   sobolev tifa    mrshield
207.55.138.206          keith   sobolev tifa
208.184.162.71          keith   sobolev tifa    mrshield
209.249.97.40           keith   sobolev tifa    mrshield
212.23.225.98           keith   sobolev tifa    mrshield
212.78.160.237          keith           tifa    mrshield
212.78.164.193                  sobolev
216.220.39.42           keith   sobolev tifa    mrshield
216.33.35.214           keith   sobolev tifa    mrshield
216.34.68.2             keith   sobolev tifa    mrshield
216.35.167.58           keith   sobolev tifa
62.23.80.2              keith   sobolev tifa    mrshield
62.26.119.34            keith   sobolev tifa    mrshield
63.209.147.246          keith   sobolev tifa    mrshield
64.14.200.154           keith   sobolev tifa
64.37.200.46            keith   sobolev tifa    mrshield
64.56.174.186           keith   sobolev tifa    mrshield
64.78.235.14            keith   sobolev tifa

Maybe what we are seeing here are mostly decoy addresses used bysome tool with an extremely bad RNG?


--
Thomas Roessler                        http://log.does-not-exist.org/

Current thread:

RE: DNS Floods to personal firewalls Keith.Morgan (May 15)
- Re: DNS Floods to personal firewalls Bryan Andersen (May 15)
- Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
  - Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
    - Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
    - Re: DNS Floods to personal firewalls yves . soun (May 17)
- <Possible follow-ups>
- RE: DNS Floods to personal firewalls Steve R (May 16)