Re: unidentified DNS attack

[quentyn () fotango com]

David Wilburn wrote:
> On Sunday January 6th at about 12:18PM (EST), Snort picked up some
> malicious traffic from a Chinese source address to one of our DNS



I see these attacks quite a lot (twice a week is average). These is
always a named version attempt, then an iquery, then the attack
identified in your post.

I presumed that it was an automated tool that was doing the rounds as
the activity has been constant. When I have bothered to investigate
further I have found that the box launching the attacks is all ways a
linux box running 2.2.14 or so (what nmap's os detection reports). They
all look like default RH 6.2 boxes with it all hanging out :o). Note
that my sample size for the above observations is very small (4-6 boxes
- I have only investigated when I have time) so may not all ways be
true.

Most of the boxes that I have seen have also been in asia (esp china)
somewhere so reporting the activity may be futile.


Q

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
Any research done on how to efficiently use computers has been long lost
in the mad rush to
upgrade systems to do things that aren't needed by people who don't
understand what they are
really supposed to do with them. 
   Graham Reed

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com