[Dshield] DNS traffic?

Doug White doug at clickdoug.com
Wed Aug 27 04:44:37 GMT 2003


These two were easy enough - persistent enough I have the IP numbers blocked at
the perimeter.

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Wilfred A. Smith" <wilfred at esprit-omnimedia.com>
To: "'General DShield Discussion List'" <list at dshield.org>
Sent: Tuesday, August 26, 2003 10:26 PM
Subject: RE: [Dshield] DNS traffic?


| Hey, that's the same IP that I'm getting plastered with (in this
| particular case).  Can't someone just get in touch with the ISP and
| insist that this user quit it or get off the 'Net?
|
| He taps me once every hour, it seems.  Both ports get discarded, but
| it's utterly disturbing how much hostile traffic I'm finding on the
| 'Net.  In my case, legitimate traffic is < 1/4 my total!
|
| -----Original Message-----
| From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
| Behalf Of George Theall
| Sent: Tuesday, August 26, 2003 10:12 AM
| To: General DShield Discussion List
| Subject: Re: [Dshield] DNS traffic?
|
| On Tue, Aug 26, 2003 at 08:20:11AM -0700, Wilfred A. Smith wrote:
|
| > Am I the only one seeing tons of hits on port 135 from remote port
| 666,
| > followed by a hit to 1026?
|
| I suspect these are related to Windows Messenger popups.  As ISPs have
| begun blocking port 135, popup spam is increasingly targetting UDP port
| 1026.  See <http://www.lurhq.com/popup_spam.html>.
|
| The lion's share of the activity I see is from 64.156.39.12,
| dialup-64.156.39.12.Dial1.Denver1.Level3.net.  This particular host
| started hitting me in late July and has been continuing to do so several
| times per day for each host I monitor. Now I tarpit it.
|
| George
| -- 
| theall at tifaware.com
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|
|




More information about the list mailing list