[45078] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: huh

daemon@ATHENA.MIT.EDU (Sean Donelan)
Tue Jan 15 16:22:38 2002

Date: Tue, 15 Jan 2002 16:22:03 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <0fae01c19e0e$7fa253c0$ea9a8d18@evilinc>
Message-ID: <Pine.GSO.4.40.0201151615560.18595-100000@clifden.donelan.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu



On Tue, 15 Jan 2002, Tim Devries wrote:
> Ok, well this is good to know.  Although it still doesn't explain why my
> firewall is reporting DNS UDP/TCP probes from windowupdate.com on a regular
> basis.

A couple of possibilities
   - DNS cache poisoning sending spoofed answers to your DNS server (are
       you running a current version of BIND or an alternative?)
   - DDOS attack on windowsupdate.com using spoofed source packets (DNS
       and HTTP packets can tunnel through most firewall configurations)


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[45078] in North American Network Operators' Group

Re: huh

daemon@ATHENA.MIT.EDU (Sean Donelan)Tue Jan 15 16:22:38 2002

daemon@ATHENA.MIT.EDU (Sean Donelan)
Tue Jan 15 16:22:38 2002