Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] DNS-requests

To: "'Goetz, Jarrett'" <[email protected]>, "Reed Mohn, Anders" <[email protected]>
Subject: RE: [FW1] DNS-requests
From: "Reed Mohn, Anders" <[email protected]>
Date: Tue, 8 May 2001 15:54:01 +0200
Cc: "Fw-1-Mailinglist (E-mail)" <[email protected]>
Sender: [email protected]

No, not enough to do any damage, but it constitutes a large portion of the
total packets logged.
We are talking less than a hundred a day,
just counting attempts to contact the one specific IP address (UDP, port
53).
If we include port scans and TCP connection attempts, some days we've logged
bursts of thousands.
 
I'm not worried about it, just curious as to why so many different hosts
would
repeatedly be trying to contact a server that went out of commision two
years 
ago, and that is not listed in any DNS-record (that I've been able to find)
since then.
 
I just find it hard to believe that there are som many _real_ sources for
this traffic.
 
Cheers,
Anders :)
 
 

-----Original Message-----
From: Goetz, Jarrett [mailto:[email protected]]
Sent: 8. mai 2001 15:17
To: 'Reed Mohn, Anders'
Cc: Fw-1-Mailinglist (E-mail)
Subject: RE: [FW1] DNS-requests



How many requests are we talking here?  Is it actually enough that it is
impacting your bandwidth or firewall performance?

Jarrett 

-----Original Message----- 
From: Reed Mohn, Anders [ mailto:[email protected]
<mailto:[email protected]> ] 
Sent: Thursday, May 03, 2001 10:23 
To: Fw-1-Mailinglist (E-mail) 
Subject: [FW1] DNS-requests 




I've been logging a large number of domain-udp and domain-tcp 
packets trying to get in to our network. 
Most of the requests actually go to a specific (unused) address. 
This address used to hold a DNS-server once, and someone obviously 
remembers. 
The requests are seemingly coming from all over the net, including 
from other DNS-servers. 

What I am wondering is whether this is more likely to be someone spoofing 
the 
source addresses or whether they are using other, real DNS-servers to send 
these requests to us. 
(Is the latter, in fact, possible?) 

Is this a know attack of some sort? 

Cheers, 
Anders RM :) 


============================================================================
==== 
     To unsubscribe from this mailing list, please see the instructions at 
               http://www.checkpoint.com/services/mailing.html
<http://www.checkpoint.com/services/mailing.html>  
============================================================================
==== 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] DNS-requests
Next by Date: [FW1] Missing Websites
Previous by thread: RE: [FW1] DNS-requests
Next by thread: RE: [FW1] DNS-requests
Index(es):
- Date
- Thread