Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange DNS/TCP activity

From: hmkash () ARL MIL (Howard M. Kash III)
Date: Thu, 27 Jan 2000 08:27:36 EST


Our nameservers have been a subject of suspicious probes (?) aimed at TCP
port 53 recently. Here is a genuine tcpdump transcript of one of the
probes (line-wrapped for better readability):

19:50:23.087805 209.67.42.160.2900 > our.nameserver.domain:
  S 1514380992:1514381056(64) win 2048 (ttl 239, id 24887)
  (payload of 64 zeros)


See my analysis at:

        http://www.sans.org/y2k/DNS.htm

There's one possible explanation given, but if you hear of
any others, please let me know.

Howard
Previous By Date Next
Previous By Thread Next

Current thread: