Security Incidents mailing list archives
Re: Flood of bad DNS queries
From: Mike Lyman <mlyman-security () comcast net>
Date: Wed, 03 Dec 2003 19:49:54 -0600
On Wed, 2003-12-03 at 14:41, Brett Glass wrote:
What worm or Trojan is causing this? What vulnerability is being attacked here?
My guess is a newly installed 3DNS load balancer from F5. Back at Microsoft we used to get lots of reports of this. So much so that we contemplated many a late night mission into the data centers with wire cutters :-) (As the former abuse () microsoft com, I got quite a few of the reports peronsally.) 3DNS is fairly intrusive in its default configuration and uses DNS like traffic to try to determine which data center you are logically closest to and route you there. It also periodically retests even if no client in your network is currently connecting to the systems using 3DNS. Sets off lots of IDS and firewall alarms. It can be configured so that it does not set of so many alarms. -- Mike Lyman pgp keyid 0xAB7F35DA
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Flood of bad DNS queries Brett Glass (Dec 03)
- Re: Flood of bad DNS queries Kurt Seifried (Dec 03)
- Re: Flood of bad DNS queries Jacques Bourdeau (Dec 03)
- Re: Flood of bad DNS queries Mike Lyman (Dec 04)
- Re: Flood of bad DNS queries Jeff Kell (Dec 04)
- Re: Flood of bad DNS queries Mike Lyman (Dec 03)