Security Incidents mailing list archives

Flood of bad DNS queries

From: Brett Glass <brett () lariat org>
Date: Wed, 03 Dec 2003 13:41:51 -0700

Our logs are filling with reports of bogus queries which ask machines to do reverse lookups on their own IP addresses 
(backwards, with .in-addr.arpa appended, as is the usual convention). The queries are being addressed to machines which 
are not domain name servers and/or are not intended to serve queries from the outside world.

We're also seeing large numbers of requests to resolve ".". 

Ironically, many of these requests are coming from addresses such as 207.46.49.152,
which belongs to MSN. (It's unclear whether machines at Microsoft have been
infected, or if the queries are coming from a user logged into MSN.)

What worm or Trojan is causing this? What vulnerability is being attacked here?

--Brett Glass


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Flood of bad DNS queries Brett Glass (Dec 03)
- Re: Flood of bad DNS queries Kurt Seifried (Dec 03)
- Re: Flood of bad DNS queries Jacques Bourdeau (Dec 03)
  - Re: Flood of bad DNS queries Mike Lyman (Dec 04)
  - Re: Flood of bad DNS queries Jeff Kell (Dec 04)
- Re: Flood of bad DNS queries Mike Lyman (Dec 03)