[Dshield] increase port 53 traffic and compromised hosts

hostmaster@denverdata.com hostmaster at denverdata.com
Mon Jan 19 21:57:09 GMT 2004


We're receiving an interesting surge in DNS traffic that began approx. 3PM MST 
on Jan 18. The surge is interesting in that:

* we do not have a publicly accessible DNS server at the target of the traffic
* all traffic is originating from 17 unique hosts (most in the ev1.net space, 
1 host in aol.com)
* the traffic appears to be legitimate DNS name queries -- one captured 
request was for 217-125-299-77.UC.NOMBRES.TTD.ES
* for any given host, the same source port is always used. For a few of the 
hosts the source port flip-flops between two ports.
* at least two of the hosts appear to be compromised Windows boxes w/open port 
27374 (SubSeven)

I might think this to be a DDoS attack, but the level of actual bandwidth 
consumed is small enough not to impede other traffic.

So, here's the list of hosts:
172.148.37.142
66.98.152.45
66.98.158.75
66.98.152.55
66.98.154.26
66.98.154.78
69.57.144.5
69.57.148.37
207.44.152.22
207.44.202.107*
216.12.202.9
69.57.148.38
69.57.148.39*
69.57.148.40
69.57.148.43 
69.57.148.42
69.57.148.41

Cheers,
Doug

P.S. abuse at ev1.net has been contacted and replied with an auto-generated 
message.




More information about the list mailing list