[Dshield] increase port 53 traffic and compromised hosts
hostmaster at denverdata.com
Wed Jan 21 22:36:52 GMT 2004
On Wednesday 21 January 2004 01:45 pm, Pete Cap wrote:
> Just a quick question...
> Have you tried correlating this activity with anything else?
I've looked at the following:
* all incoming port 53 traffic
* all traffic from any port 53 source host
None of the source hosts are attempting any connections to any other ports on
any of our public hosts.
No outgoing traffic is destined for any of the source hosts.
I did get a human response from the ISP that they contacted their customers
and notified them to cease the traffic. Since then number of source hosts has
been declining slowly:
* Jan 18 -- 17
* Jan 19 -- 15
* Jan 20 -- 12
The number of requests is light but steady, approx 7 requests per hour. It's
been declining slightly as the number hosts has been declining.
> What other significant recon or "apparent" DDoS are you seeing?
Other than the typical noise of SubSeven, dameware, windows networking (135,
137, 139, 445), MS SQL and HTTP (/sumthin, /scripts/nsiislog, etc), I'm not
seeing anything out of the "ordinary". Certainly nothing that impedes our
Any other thoughts?
More information about the list