Security Incidents mailing list archives
Re: Large DNS scans from 211.53.208.178
From: davebb () WEATHER ADMIN NIU EDU (David B. Bukowski)
Date: Wed, 3 May 2000 15:22:19 -0500
As to finding a list of IP addresses and countries / locations where they originate you really can't do that the way you might think. FOr example I might have a circuit running to japan or australia and be letting them run from a block of my US ip's. Physical location and IP addresses have no corolation. Although we try to keep them matching. Only way is to ask each router where it is at and where its ip routing tables go to. Just remember DNS info is not very reliable as the person who hosts the dns can put whatever they want in there and the arin whois just gives the owner's addressing info. -dave On Tue, 2 May 2000, Ed Padin wrote:
It seems that a lot of crap is coming from Korea. I see a lot of attempts to TCP port 109... Which is kinda silly. There was discussion on this earlier. It seems that blocking all of korea (and demon internet in the UK?) might be a good idea. I think that the koreans have been hit hard by virii/trojans lately. This stuff is probably coming from compromised systems. Does anyone know where I can find a list that shows IP addresses and countries/location? I'm starting to think that I may want to start blocking access from whole address ranges to certain of my servers. There are some places on the globe with which we do no business at all. Thanks.-----Original Message----- From: Bryan Seitz [mailto:seitz () CARTMAN EE UDEL EDU] Sent: Monday, May 01, 2000 2:07 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Large DNS scans from 211.53.208.178 On Fri, 28 Apr 2000, alann lopes wrote:We are seeing a substantial scans of DNS from 211.53.208.178 apparently from Korea... Anyone else? Thank you -- alann======================================================================Apr 28 12:23:44 PDT tcp 211.53.208.178(4147)->132.239.242.207(53), 1Apr 28 12:23:46 PDT tcp 211.53.208.178(4140)snipApr 28 15:07:44 PDT tcp 211.53.208.178(1960)->132.239.242.192(53), 1======================================================================Not from that specific host, but from .kr yes... Apr 21 15:00:38 cartman /kernel: ipfw: 3500 Deny TCP 210.182.140.145:4993 128.175.200.41:53 in via xl0 Apr 28 18:02:21 cartman /kernel: ipfw: 3500 Deny TCP 210.182.66.3:1436 128.175.200.41:53 in via xl0snip
--
Current thread:
- Re: Large DNS scans from 211.53.208.178, (continued)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (Apr 30)
- Re: Large DNS scans from 211.53.208.178 Richard Stevenson (May 02)
- Re: Large DNS scans from 211.53.208.178 Bryan Seitz (Apr 30)
- Strange 33434/UDP traffic from MS W2k with Active Directory Eugene Taylashev (May 01)
- more weird traceroutes Donald McLachlan (May 02)
- Re: more weird traceroutes Chad Thunberg (May 02)
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
- Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
- Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
- Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Greg A. Woods (May 08)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Chen, Dave (May 03)
- Re: Large DNS scans from 211.53.208.178 Igor Gashinsky (May 03)
- Re: Large DNS scans from 211.53.208.178 Keith Owens (May 06)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (Apr 30)