[Dshield] increase port 53 traffic and compromised hosts
peteoutside at yahoo.com
Thu Jan 22 13:23:32 GMT 2004
Nope, can't think of anything else...looks like a sound bit of work there.
I'll let you know if I can think of anything else.
Doug Douglass <hostmaster at denverdata.com> wrote:
On Wednesday 21 January 2004 01:45 pm, Pete Cap wrote:
> Just a quick question...
> Have you tried correlating this activity with anything else?
I've looked at the following:
* all incoming port 53 traffic
* all traffic from any port 53 source host
None of the source hosts are attempting any connections to any other ports on
any of our public hosts.
No outgoing traffic is destined for any of the source hosts.
I did get a human response from the ISP that they contacted their customers
and notified them to cease the traffic. Since then number of source hosts has
been declining slowly:
* Jan 18 -- 17
* Jan 19 -- 15
* Jan 20 -- 12
The number of requests is light but steady, approx 7 requests per hour. It's
been declining slightly as the number hosts has been declining.
> What other significant recon or "apparent" DDoS are you seeing?
Other than the typical noise of SubSeven, dameware, windows networking (135,
137, 139, 445), MS SQL and HTTP (/sumthin, /scripts/nsiislog, etc), I'm not
seeing anything out of the "ordinary". Certainly nothing that impedes our
Any other thoughts?
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
More information about the list