Security Incidents mailing list archives

Re: Flood of bad DNS queries

From: Mike Lyman <mlyman-security () comcast net>
Date: Wed, 03 Dec 2003 19:49:54 -0600

On Wed, 2003-12-03 at 14:41, Brett Glass wrote:

What worm or Trojan is causing this? What vulnerability is being attacked here?


My guess is a newly installed 3DNS load balancer from F5. Back at
Microsoft we used to get lots of reports of this. So much so that we
contemplated many a late night mission into the data centers with wire
cutters :-)  (As the former abuse () microsoft com, I got quite a few of
the reports peronsally.)

3DNS is fairly intrusive in its default configuration and uses DNS like
traffic to try to determine which data center you are logically closest
to and route you there. It also periodically retests even if no client
in your network is currently connecting to the systems using 3DNS. Sets
off lots of IDS and firewall alarms. It can be configured so that it
does not set of so many alarms.

-- 
Mike Lyman
pgp keyid 0xAB7F35DA

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Flood of bad DNS queries Brett Glass (Dec 03)
- Re: Flood of bad DNS queries Kurt Seifried (Dec 03)
- Re: Flood of bad DNS queries Jacques Bourdeau (Dec 03)
  - Re: Flood of bad DNS queries Mike Lyman (Dec 04)
  - Re: Flood of bad DNS queries Jeff Kell (Dec 04)
- Re: Flood of bad DNS queries Mike Lyman (Dec 03)