[Dshield] increase port 53 traffic and compromised hosts

hostmaster@denverdata.com hostmaster at denverdata.com
Mon Jan 19 21:57:09 GMT 2004

We're receiving an interesting surge in DNS traffic that began approx. 3PM MST 
on Jan 18. The surge is interesting in that:

* we do not have a publicly accessible DNS server at the target of the traffic
* all traffic is originating from 17 unique hosts (most in the ev1.net space, 
1 host in aol.com)
* the traffic appears to be legitimate DNS name queries -- one captured 
request was for 217-125-299-77.UC.NOMBRES.TTD.ES
* for any given host, the same source port is always used. For a few of the 
hosts the source port flip-flops between two ports.
* at least two of the hosts appear to be compromised Windows boxes w/open port 
27374 (SubSeven)

I might think this to be a DDoS attack, but the level of actual bandwidth 
consumed is small enough not to impede other traffic.

So, here's the list of hosts:**


P.S. abuse at ev1.net has been contacted and replied with an auto-generated 

More information about the list mailing list