Security Incidents mailing list archives
Flood of bad DNS queries
From: Brett Glass <brett () lariat org>
Date: Wed, 03 Dec 2003 13:41:51 -0700
Our logs are filling with reports of bogus queries which ask machines to do reverse lookups on their own IP addresses (backwards, with .in-addr.arpa appended, as is the usual convention). The queries are being addressed to machines which are not domain name servers and/or are not intended to serve queries from the outside world. We're also seeing large numbers of requests to resolve ".". Ironically, many of these requests are coming from addresses such as 207.46.49.152, which belongs to MSN. (It's unclear whether machines at Microsoft have been infected, or if the queries are coming from a user logged into MSN.) What worm or Trojan is causing this? What vulnerability is being attacked here? --Brett Glass --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Flood of bad DNS queries Brett Glass (Dec 03)
- Re: Flood of bad DNS queries Kurt Seifried (Dec 03)
- Re: Flood of bad DNS queries Jacques Bourdeau (Dec 03)
- Re: Flood of bad DNS queries Mike Lyman (Dec 04)
- Re: Flood of bad DNS queries Jeff Kell (Dec 04)
- Re: Flood of bad DNS queries Mike Lyman (Dec 03)