[Dshield] increase port 53 traffic and compromised hosts

Doug Douglass hostmaster at denverdata.com
Wed Jan 21 22:36:52 GMT 2004


On Wednesday 21 January 2004 01:45 pm, Pete Cap wrote:
> Just a quick question...
>
> Have you tried correlating this activity with anything else?

I've looked at the following:
   * all incoming port 53 traffic
   * all traffic from any port 53 source host

None of the source hosts are attempting any connections to any other ports on 
any of our public hosts.

No outgoing traffic is destined for any of the source hosts.

I did get a human response from the ISP that they contacted their customers 
and notified them to cease the traffic. Since then number of source hosts has 
been declining slowly:
   * Jan 18 -- 17
   * Jan 19 -- 15
   * Jan 20 -- 12

The number of requests is light but steady, approx 7 requests per hour. It's 
been declining slightly as the number hosts has been declining.

>
> What other significant recon or "apparent" DDoS are you seeing?
>

Other than the typical noise of SubSeven, dameware, windows networking (135, 
137, 139, 445), MS SQL and HTTP (/sumthin, /scripts/nsiislog, etc), I'm not 
seeing anything out of the "ordinary". Certainly nothing that impedes our 
bandwidth.

Any other thoughts?

Thanks,
Doug




More information about the list mailing list