Security Incidents mailing list archives
Re: Strange DNS/TCP activity
From: hmkash () ARL MIL (Howard M. Kash III)
Date: Thu, 27 Jan 2000 08:27:36 EST
Our nameservers have been a subject of suspicious probes (?) aimed at TCP port 53 recently. Here is a genuine tcpdump transcript of one of the probes (line-wrapped for better readability): 19:50:23.087805 209.67.42.160.2900 > our.nameserver.domain: S 1514380992:1514381056(64) win 2048 (ttl 239, id 24887) (payload of 64 zeros)
See my analysis at: http://www.sans.org/y2k/DNS.htm There's one possible explanation given, but if you hear of any others, please let me know. Howard
Current thread:
- Re: Strange DNS/TCP activity Howard M. Kash III (Jan 27)