Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unusual DNS requests (not related to previous DNS thread)

From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 15 Jan 2002 11:14:36 -0700 (MST)
On Mon, 14 Jan 2002 measl () mfn org wrote:



So far, so good.  The request is for a PTR
record: 0.xxx.xxx.xx.in-addr.arpa.  No, that's not a typo, they are
requesting reverse for the network address at .0.


Don't get too worried about the 0. part... recall that these are in
reverse order, so the guy is asking for a name for x.y.z.0.  Or maybe
that's what you were worried about.  It's not common but, depending on
subnet mask, .0 addresses aren't always reserved.


A packet capture shows
absolutely nothing out of the ordinary, other than the freaky request, and
the regularity of the requests, about one request every five seconds, round
the clock.


So this begs the question... is this DNS server supposed to be serving
in-addr.arpa records?  I.e. is it reverse for some network addresss range?
If so, is there a possibility that that network range is a smurf
amplifier?

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: