Security Incidents mailing list archives

Re: New DNS connection with SYN ACK


From: Nick Drage <nickd () demon net>
Date: Mon, 14 Jan 2002 13:00:56 +0000

On Fri, Jan 11, 2002 at 07:47:17PM +0100, Richard Arends wrote:
On 11 Jan 2002, Jerry Perser wrote:

Here are the 19 ip addresses:

128.121.10.146 128.242.105.34
    129.250.244.10 193.148.15.128 194.205.125.26 194.213.64.150
    202.139.133.129 203.194.166.182 203.81.45.254 216.220.39.42
216.33.35.214
    216.34.68.2 216.35.167.58 62.23.80.2 62.26.119.34
    64.14.200.154 64.37.200.46 64.56.174.186 64.78.235.14

I'm getting scans for port 53 from the same ip's !
and tracking system please see: http://aris.securityfocus.com

Apologies for adding another "me too", but there's a thread in
comp.security.firewalls, subject "Misconfigured DNS, firewall too tight
or (spoofed?) attack?", discussing the same thing.

I'd be interested to know what is causing this traffic, my guess in that
Usenet thread was that the person receiving these packets was a fake
source for DNS scanning - but that is, of course, wrong.

-- 
Nick Drage - Security Architecture - Demon Internet
"A lonely voice
 Echoing through the wilderness
 Request Timed Out"

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


Current thread: