Re: Flood of bad DNS queries

[Jacques Bourdeau <J_Bourdeau () videotron ca>]

Hi,

here, I blocked four /24 networks from Microsoft. 207.46.49.0/24 is one 
of them. It begun during lasts days of september.

207.46.7 / 24
207.46.242 / 24
207.46.76 / 24
207.46.49 / 24

All of them are blocked on the firewall and can not access any service 
on our network.

They are now blocked from 2 months and they continue to fulfil the log. 
Even after being dropped for months, they continue to try to connect.

We also sent a message to abuse@microsoft, but as expected, we did not 
received any answer or reaction.

Just do as I did : drop all access from them on your firewall and keep 
them out of your system.

Jacques Bourdeau, security eng.


Brett Glass wrote:

> Our logs are filling with reports of bogus queries which ask machines to do reverse lookups on their own IP addresses 
> (backwards, with .in-addr.arpa appended, as is the usual convention). The queries are being addressed to machines which 
> are not domain name servers and/or are not intended to serve queries from the outside world.
>
> We're also seeing large numbers of requests to resolve ".". 
>
> Ironically, many of these requests are coming from addresses such as 207.46.49.152,
> which belongs to MSN. (It's unclear whether machines at Microsoft have been
> infected, or if the queries are coming from a user logged into MSN.)
>
> What worm or Trojan is causing this? What vulnerability is being attacked here?
>
> --Brett Glass
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
>  



---------------------------------------------------------------------------
----------------------------------------------------------------------------