[Dshield] Help: DNS (53)

Chris Brenton cbrenton at chrisbrenton.org
Thu Jan 1 23:27:56 GMT 2004


On Thu, 2004-01-01 at 11:30, Alan Frayer wrote:
>
> Okay, I've been trying to follow this thread with some interest because
> I've been getting hit with UDP 53 packets for the last month at one or
> two of my IPs.

Are the IPs:
a name server used by internal clients?
a many to one NAT IP with a name server behind it?

If not, you might be looking at something different.

> The volume of these packets have been far exceeding my
> normal noise level. There is no DNS server at these addresses, and I was
> trying to figure out why these packets have been appearing.

If you meet one or both of the above conditions, it could be load
balancing. If not, it could be malicious. Check the source IP and see if
its part of an address space or domain that you have recently queried.
If you can spot a pattern (like it always comes from the same source IP
but only during microsoft.com related queries), you are probably OK. If
not, again, it might be malicious.

> For the most
> part, the source addresses have not been targeting multiple addresses,
> so they slip past the Dshield Fightback rules. And they seem to slack
> off during overnight or holiday hours, suggesting these are manned PCs
> that get shut down at the end of a work day.

Or.... there are fewer people at _your_ site during those times
generating outbound queries that are causing this possible load balancer
to check performance metrics back to your site.

Again, it really comes down to how you answer the above two questions.

HTH,
C





More information about the list mailing list