[Dshield] increase port 53 traffic and compromised hosts

Pete Cap peteoutside at yahoo.com
Wed Jan 21 20:45:37 GMT 2004

Just a quick question...
Have you tried correlating this activity with anything else?

What other significant recon or "apparent" DDoS are you seeing?


Alan Frayer <afrayer at frayernet.com> wrote:
On Mon, 2004-01-19 at 16:57, hostmaster at denverdata.com wrote:

> We're receiving an interesting surge in DNS traffic that began approx. 3PM MST 
> on Jan 18. The surge is interesting in that:
> * we do not have a publicly accessible DNS server at the target of the traffic
> * all traffic is originating from 17 unique hosts (most in the ev1.net space, 
> 1 host in aol.com)
> * the traffic appears to be legitimate DNS name queries -- one captured 
> request was for 217-125-299-77.UC.NOMBRES.TTD.ES
> * for any given host, the same source port is always used. For a few of the 
> hosts the source port flip-flops between two ports.
> * at least two of the hosts appear to be compromised Windows boxes w/open port 
> 27374 (SubSeven)

A consulting client of mine has had similar issues, with attacks on only
one public IP, however we lack the necessary components to capture the
packets and further analyze them (I'm lucky that I can send Dshield the
reports and participate in the Fightback program). These port 53 attacks
make up the majority of attacks to this company's IPs (even with 6 IPs
reporting), yet they don't actually shut down the bandwidth, so the
company isn't requesting further action on my part.

The funny thing is, I haven't been able to rally enough support from
anyone to actually do anything with them. They don't individually have
enough targets to allow me to request a Fightback on them, and I don't
see where I have enough leverage on my own.


Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com 
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org 

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes

More information about the list mailing list