[Dshield] Need some help

Benjamin M.A. Robson ben at robson.ph
Fri Aug 15 14:24:04 GMT 2003


Paul,

OK,  I don't know your logging format so I may make myself look like a
complete goose here.  But on the assumption that the format is
<src>,<srcport>,<dst>,<dstport>

I would say this looks less like Adelphia making the requests, and more
like them responding to requests from your system(s).

What other information do you have that makes you think these packets
are as a result of a connection established from their end?

Before you say "because I'm not doing any DNS lookups", can you just
double check.  For example if you were receiving packets being blocked
by a firewall and it is resolving DNS entries for the logs you may be
doing DNS lookups after all.

BenR.

(p.s. I hope you don't think that I think you are a fool.  Just reading
the information as provided.)

On Fri, 2003-08-15 at 23:46, Paul Marsh wrote:
> Yesterday afternoon I started getting flooded with the following.  The IP is one of Adelphia's DNS server, it's sending DNS requests to my MX server.  I'm not on Adelphia's network and don't use them for DNS, anyone have any idea why this all of a sudden started happening and continues?  The next question is how do I stop it, Adelphia is the least responsive ISP when it comes to resolving problems.
> 
> Thanx, Paul 
> 
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	18890,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	19361,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	19419,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	19488,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	1326,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	1415,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	1477,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	1857,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	1897,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	2350,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	2401,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	2553,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	2915,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	2970,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	3016,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	3388,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	3439,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	3496,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	3555,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	3899,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	3952,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	4070,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	4430,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	4494,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	4756,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	4953,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	4999,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	5064,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	5385,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	5461,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	5515,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	5923,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	5982,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	6030,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	6345,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	6397,
> 68.168.64.10,	53,	WAN	xxx.xxx.xxx.xxx,	6487,
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list