[Dshield] increase port 53 traffic and compromised hosts

Pete Cap peteoutside at yahoo.com
Thu Jan 22 13:23:32 GMT 2004


Doug,
 
Nope, can't think of anything else...looks like a sound bit of work there.
I'll let you know if I can think of anything else.
 
Pete

Doug Douglass <hostmaster at denverdata.com> wrote:
On Wednesday 21 January 2004 01:45 pm, Pete Cap wrote:
> Just a quick question...
>
> Have you tried correlating this activity with anything else?

I've looked at the following:
* all incoming port 53 traffic
* all traffic from any port 53 source host

None of the source hosts are attempting any connections to any other ports on 
any of our public hosts.

No outgoing traffic is destined for any of the source hosts.

I did get a human response from the ISP that they contacted their customers 
and notified them to cease the traffic. Since then number of source hosts has 
been declining slowly:
* Jan 18 -- 17
* Jan 19 -- 15
* Jan 20 -- 12

The number of requests is light but steady, approx 7 requests per hour. It's 
been declining slightly as the number hosts has been declining.

>
> What other significant recon or "apparent" DDoS are you seeing?
>

Other than the typical noise of SubSeven, dameware, windows networking (135, 
137, 139, 445), MS SQL and HTTP (/sumthin, /scripts/nsiislog, etc), I'm not 
seeing anything out of the "ordinary". Certainly nothing that impedes our 
bandwidth.

Any other thoughts?

Thanks,
Doug

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!


More information about the list mailing list