Security Incidents mailing list archives
Re: Bogus DNS traffic
From: Robert Lowe <rlowe () auscert org au>
Date: Thu, 23 Oct 2003 14:21:23 +1000
Hi David, Yes, we've had reports of similar activity. The best explanation I've found so far is: http://people.ists.dartmouth.edu/~gbakos/bindsweep/ But perhaps someone else knows of a better explanation... Seeing the MAC addresses set to your upstream router is expected: http://www.blacksheepnetworks.com/security/info/ids/IDFAQ/mac_address.htm Regards, Rob. -- Robert Lowe, Computer Security Analyst | Hotline: +61 7 3365 4417 AusCERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au QLD 4072 Australia | Email: auscert () auscert org au
I'm seeing random UDP packets to port 53 of random internal IP addresses. The source IP addresses are external, all over the map, although the one example I've gotten a good capture of bore the source MAC address of an internal server. (Whatever is spoofing the IP address *could* be spoofing the MAC address, but that would still indicate an origin inside our network....) Does anyone recognize this? David Gillett --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ----------------------------------------------------------------------------
--------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_incidents_031015 ----------------------------------------------------------------------------
Current thread:
- Need help to find web server attacks signature Maxime Ducharme (Oct 22)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)
- Re: Need help to find web server attacks signature Fatih Özavcı (Oct 23)
- Bogus DNS traffic David Gillett (Oct 22)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Bogus DNS traffic David Gillett (Oct 23)
- Re: Bogus DNS traffic Brian Collins (Oct 23)
- Re: Bogus DNS traffic Robert Lowe (Oct 23)
- Re: [despammed] Bogus DNS traffic whiplash (Oct 24)
- RE: Bogus DNS traffic Mike Anderson (Oct 23)
- RE: Need help to find web server attacks signature Mike Brownbill (Oct 23)
- Re: Need help to find web server attacks signature Tri Huynh (Oct 24)
- Re: Need help to find web server attacks signature Muhammad Naseer (Oct 22)