Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BIND scan from Wanadoo.fr

From: Mike Arnold <MKArnold () tesco net>
Date: Sat, 17 Aug 2002 02:30:34 +0100
On Friday 16 Aug 2002 5:31 pm, you wrote:

I have seen them scan for misconfigured TP servers all the time .. and I
block that on all of my firewalls, I think we all know when they add a new
subnet, we get scanned and add it to our list of Wanadoo .. but what I'm
saying is that this is the first time I see them originate high port and
scan the destination port 53 .. that is what is new.


I'm consistently getting scans of this nature from various subnets around the 
world. Not traced them back to source since they appeared to be just "noise". 
However, they always come on the back of a DNS cache lookup, much like the 
"speedera pings" that attempt to route you through to the fastest DNS server. 
Not looked into any deeper than that. I have traced the odd one back to a 
subnet in Asia (I think), but not carried out a scientific analysis. I have 
the logs to go back through at some stage to see if they are consistently 
coming from the same region. A big yippee for SamSpade, makes life so much 
easier.

Only other thing that appears consistent is that they come in clumps. Never a 
solitary scan, always about 6 from various IPs on different subnets. Often 
they come as a clump of pings from 6 addresses followed by a clump of DNS 
scans from the same IPs. Couldn't explain it, but had other things to worry 
about so I never looked any deeper. Things are quietening off so I may do 
some studies of them.

On a 2 hour re-connect dialup (yeah, I'm one of those that can't yet get 
broadband *sigh*) I've had almost 900 of these in the last month - 2 weeks of 
which the firewall was turned off due to holidays. Prior to that I hadn't got 
a DNS cache so I couldn't say.

Hope that helps.

Mike

--
 "In their capacity as a tool, computers will be but a ripple on the 
   surface of our culture. In their capacity as intellectual challenge, 
   they are without precedent in the cultural history of mankind." 
        Edsger Wybe Dijkstra on Computers

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: