[Cialug] Network traffic?
Dave Weis
djweis at internetsolver.com
Thu Dec 8 20:13:36 CST 2005
On Thu, 8 Dec 2005, David Champion wrote:
> I don't think so. It's all traffin coming in from the outside, apparantly
> trying to make queries against a DNS server.
> From the iptraf log:
> Thu Dec 8 18:57:26 2005; UDP; eth0; 68 bytes; from 64.202.110.61:22911 to
> <my ip>:53
> Lots and lots of these, from various IP's. I've tried to traceroute out to a
> few of them but didn't get very far, before I get to an ATT or Mcleod router
> and time out.
> It was eating up 360k of bandwidth on a T1 connection according to mrtg
> before I killed the DNS server there.
> Has anyone seen any advisories on DNS (specifically bind)? I haven't seen any
> recent ones - since about June - and that was really just a DoS.
It's a DDoS, they are spoofed dns requests with the source set to IRC
servers.
> Jerry Heiselman wrote:
>> Possible mDNS getting out on your local subnet? Something from
>> Bonjour/Zeroconf?
>>
>> On 12/8/05, David Champion <dave at visionary.com> wrote:
>>
>>> Josh More wrote:
>>>
>>>> I have seen some PHP X-site scripting/mail injection attacks that fit
>>>> within this time frame. Perhaps you are seeing the results of
>>>> successful attacks?
>>>
>>> How about a port 53 (DNS) attack? That's what I'm seeing, using iptraf
>>> to monitor it.
>>>
>>> -dc
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
--
Dave Weis
djweis at internetsolver.com
http://www.internetsolver.com/
More information about the Cialug
mailing list