Security Incidents mailing list archives
RE: DNS Floods to personal firewalls (mystery correlated)
From: Matt Scarborough <vexversa () usa net>
Date: 17 May 2001 14:07:18 EDT
Not complaining who's first, just letting you know their story seems to track. See below. On Wed, 16 May 2001 10:46:11 -0400, "Keith.Morgan" <Keith.Morgan () Terradon com> wrote:
Ok folks. I've done some investigation with a number of providers. Here's what we believe is happening. There's an organization called "mirror-image" (see http://www.mirror-image.com running an application that "tries to find shortest vector distance between http request, and http reply." Thier application used to use high ports, but apparently, they've recently changed to using port 53. I'll be contacting thier development team today to ask why they would use port 53 (to avoid firewalls dropping the packets?) as opposed to 80, or high ports. Every provider I contacted (the ones that were even vaguely cooperative) hosted, or otherwise did business with these folks at mirror-image. It appears that the mystery may be solved.
I ran this to ground with exactly the same results in July 2000. That was back when they were using the high ports. http://www.incidents.org/archives/y2k/070700.htm You may note from that tcpdump trace that they ran a server parallel to their DNS server. That parallel server first bounced a DNS Query Response off the high port of the requesting client. Then the real DNS server responded to the requesting client with a valid DNS Query Response. Seems like they determined the bandwidth overhead is far less with a SYN packet too. Matt 2001-05-17 ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
Current thread:
- RE: DNS Floods to personal firewalls (mystery correlated) Matt Scarborough (May 18)