RE: DNS Floods to personal firewalls (mystery correlated)

[Matt Scarborough <vexversa () usa net>]

Not complaining who's first, just letting you know their story seems to track.
See below.

On Wed, 16 May 2001 10:46:11 -0400, "Keith.Morgan" <Keith.Morgan () Terradon com>
wrote:

> Ok folks.  I've done some investigation with a number of providers.  Here's
> what we believe is happening.  There's an organization called "mirror-image"
> (see http://www.mirror-image.com running an application that "tries to find
> shortest vector distance between http request, and http reply."  Thier
> application used to use high ports, but apparently, they've recently changed
> to using port 53.  I'll be contacting thier development team today to ask
> why they would use port 53 (to avoid firewalls dropping the packets?) as
> opposed to 80, or high ports.  
>
> Every provider I contacted (the ones that were even vaguely cooperative)
> hosted, or otherwise did business with these folks at mirror-image.  It
> appears that the mystery may be solved.

I ran this to ground with exactly the same results in July 2000. That was back
when they were using the high ports.
http://www.incidents.org/archives/y2k/070700.htm

You may note from that tcpdump trace that they ran a server parallel to their
DNS server. That parallel server first bounced a DNS Query Response off the
high port of the requesting client. Then the real DNS server responded to the
requesting client with a valid DNS Query Response.

Seems like they determined the bandwidth overhead is far less with a SYN
packet too.

Matt 2001-05-17

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1