Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: constant flow of root queries

from [Kerry Thompson] Network Security [Permanent Link]
Subject: Re: constant flow of root queries
Date: Sat, 21 Jan 2006 18:09:57 +1300 
On Wed, 2006-01-18 at 09:37 -0500, Brian Collins wrote:

Good day folks.  This morning an admin asked us to check on a large amount
of traffic targeting several DNS servers in our network (both our own DNS
servers and customer co-located DNS servers).  In looking at the traffic I
see that the source is making several queries a second for DNS root.  I have
included a small sample from tcpdump below.  Not sure what the motive is
here.  The TTLs are all 235.  The random source ports makes me think
possibly spoofed traffic.  I can put packet dumps up on a website in libpcap
format if anyone is interested.  They are still going on as I type this.


I've seen similar about a year ago where a Windows server has gone into
a spin firing DNS queries at its upstream forwarder at high rates - like
thousands of requests per second hitting an ISP DNS server. It has also
been noticed by other people, such as this recent post on the BIND-USERS
mailing list:

http://marc.theaimsgroup.com/?l=bind-users&m=113778239231495&w=2

Really the only resolution was to firewall the perpetrator, then try to
contact them and explain the situation in the hope that they will
understand and fix their server.

-- 
Kerry Thompson
http://www.crypt.gen.nz
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: NY Privacy law similar to CA1386, evb
Next by Date:  REVIEW: "Incident Response", Douglas Schweitzer, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  Re: constant flow of root queries, Dude VanWinkle
Next by Thread:  NY Privacy law similar to CA1386, Nay, Eric
Indexes:  [Date] [Thread] [Top] [All Lists]