Security Incidents mailing list archives
Re: Attempted DNS queries.
From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Sun, 25 Mar 2001 10:27:02 -0700
......... This goes on. I've been able to to identify at least nine unique hosts which attempted these queries: 167.8.29.52, 206.251.19.88, 209.67.29.8, 216.33.87.8, 216.33.87.10, 63.209.29.136, 208.185.109.155, 167.8.29.91 and 64.14.77.2. Results of the portscan against these hosts can be found at: http://192.117.130.34/Fendor/bind-scan-results Any ideas as to the nature of these queries and the strange pattern which these hosts exhibit?You're being used by kiddies to DOS other kiddies (at least, they try to use you). The trick here is they send your nameserver a query from a spoofed address (the address of the victim) asking for the "." zone. So with a small question they send a large answer to the victim. See ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos The offending hosts in your case are the victims of the DOS attacks.
I would think rather that these are F5/BigIP boxes for which this is known behaviour. In particular if they are runnint https and ssh. Also see: http://www.securityfocus.com/archive/75/165260 VP Engineering SecurityFocus.com "Vae Victis"
Current thread:
- Attempted DNS queries. Yotam Rubin (Mar 25)
- Re: Attempted DNS queries. Mark Lastdrager (Mar 25)
- <Possible follow-ups>
- Re: Attempted DNS queries. Alfred Huger (Mar 25)