[unisog] [REN-ISAC] Alert: DNS Smurfing

Ryan Dorman Ryan.Dorman at millersville.edu
Wed Dec 15 15:11:27 GMT 2004


Doug-

 

            You were correct.  I found the most likely culpret (confirmed by
some nmap'ing of the host)

 

http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00123.html

 

Thanks. 

  _____  

From: Doug Pearson [mailto:dodpears at indiana.edu] 
Sent: Tuesday, December 14, 2004 10:27 AM
To: unisog at lists.sans.org
Subject: Re: [unisog] [REN-ISAC] Alert: DNS Smurfing

 

Ryan, 

Likely not. The DNS reflector attack involves well-formed valid DNS requests
(although from spoofed sources!) sent to the server. Are you seeing an
increase in TCP SYN aimed at the server, i.e. just SYNs with no purpose? At
what rate? 

-dp 

 

At 09:48 AM 12/13/2004 -0500, Ryan Dorman wrote: 
>I have recently seen an increase in data on syn packets heading towards DNS

>server.  Is this related to this smurf attack? 
> 
>Ryan Dorman, CCNA 
>Network Communications Specialist 
>Millersville University 
>717.871.5883 
>Ryan.Dorman at millersville.edu 
> 
>PGP Public Key: http://cns.millersville.edu/rdorman_key.txt
<http://cns.millersville.edu/rdorman_key.txt>  
><http://cns.millersville.edu/rdorman_key.txt
<http://cns.millersville.edu/rdorman_key.txt> > 
> 
> 
> 
>  _____  
> 
>From: Florian Weimer <fw at deneb.enyo.de> 
>Reply-To: UNIversity Security Operations Group <unisog at lists.sans.org> 
>Date: Sat, 11 Dec 2004 13:59:01 -0500 
>To: <unisog at lists.sans.org> 
>Subject: Re: [unisog] [REN-ISAC] Alert: DNS Smurfing 
> 
>* Doug Pearson: 
> 
>> Over the past couple of days several DNS Smurf attacks have been 
>> underway affecting research and education (R&E) and commercial 
>> networks. A typical DNS Smurf attack[1] works as follows: Many DNS 
>> queries of type = "any" are sent to multiple DNS servers. The 
>> queries contain the source-spoofed address of the target. 
> 
>Do these attacks already exploit the superior amplification facilities 
>EDNS0 provides? 
>_______________________________________________ 
>unisog mailing list 
>unisog at lists.sans.org 
>http://www.dshield.org/mailman/listinfo/unisog
<http://www.dshield.org/mailman/listinfo/unisog>  
><http://www.dshield.org/mailman/listinfo/unisog
<http://www.dshield.org/mailman/listinfo/unisog> >  
> 
> 
>_______________________________________________ 
>unisog mailing list 
>unisog at lists.sans.org 
>http://www.dshield.org/mailman/listinfo/unisog
<http://www.dshield.org/mailman/listinfo/unisog>  

_______________________________________________ 
unisog mailing list 
unisog at lists.sans.org 
http://www.dshield.org/mailman/listinfo/unisog
<http://www.dshield.org/mailman/listinfo/unisog>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20041215/37869021/attachment-0001.htm


More information about the unisog mailing list