[Dshield] increase port 53 traffic and compromised hosts

Alan Frayer afrayer at frayernet.com
Tue Jan 20 19:55:11 GMT 2004


On Mon, 2004-01-19 at 16:57, hostmaster at denverdata.com wrote:

> We're receiving an interesting surge in DNS traffic that began approx. 3PM MST 
> on Jan 18. The surge is interesting in that:
> 
> * we do not have a publicly accessible DNS server at the target of the traffic
> * all traffic is originating from 17 unique hosts (most in the ev1.net space, 
> 1 host in aol.com)
> * the traffic appears to be legitimate DNS name queries -- one captured 
> request was for 217-125-299-77.UC.NOMBRES.TTD.ES
> * for any given host, the same source port is always used. For a few of the 
> hosts the source port flip-flops between two ports.
> * at least two of the hosts appear to be compromised Windows boxes w/open port 
> 27374 (SubSeven)


A consulting client of mine has had similar issues, with attacks on only
one public IP, however we lack the necessary components to capture the
packets and further analyze them (I'm lucky that I can send Dshield the
reports and participate in the Fightback program). These port 53 attacks
make up the majority of attacks to this company's IPs (even with 6 IPs
reporting), yet they don't actually shut down the bandwidth, so the
company isn't requesting further action on my part.

The funny thing is, I haven't been able to rally enough support from
anyone to actually do anything with them. They don't individually have
enough targets to allow me to request a Fightback on them, and I don't
see where I have enough leverage on my own.




________________________________________________________________________

Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com 
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org 
 



More information about the list mailing list