version.bind request

["Portnoy, Gary" <gportnoy () belenosinc com>]

Greetings.

I have Snort configured to alert on version.bind queries and the following
is what i've been seeing.
In the last week, I've seen about 10 version.bind queries to seemingly
random IP's on my subnet.  Some of these IP's don't even have hosts
associated with them.  Checking back in my logs, it doesn't look like the
various source IPs performed any recon beforehand, and since version.bind is
UDP-based, they can afford to send out the query without first establishing
the connection.  So, in effect, what i am seeing is almost like a ping sweep
for DNS servers.  The interesting thing is that i don't see the source IP
return, no exploit, and no scan of additional IPs by the same source :

2001-05-28 15:38:42     157.158.66.54  ->  a.b.c.52
2001-05-28 23:24:53     211.72.169.14  ->  a.b.c.55
2001-05-27 08:42:48     203.146.184.8  ->  a.b.c.17
2001-05-27 18:01:54     213.29.194.62  ->  a.b.c.4
2001-05-25 01:23:01     213.42.50.224  ->  a.b.c.52
2001-05-23 13:32:45     210.99.96.107  ->  a.b.c.2
2001-05-22 06:20:34     209.196.46.130  ->  a.b.c.5
2001-05-22 16:06:12     62.110.55.180  ->  a.b.c.25
2001-05-22 16:16:37     209.245.0.125  ->  a.b.c.3
2001-05-13 01:40:56     203.87.131.9  ->  a.b.c.25
2001-05-13 05:10:39     195.76.10.128  ->  a.b.c.7

Any ideas/ correlations?

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C