[45080] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: huh

daemon@ATHENA.MIT.EDU (Sean Donelan)
Tue Jan 15 17:24:37 2002

Date: Tue, 15 Jan 2002 17:23:52 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.40.0201151615560.18595-100000@clifden.donelan.com>
Message-ID: <Pine.GSO.4.40.0201151721460.18654-100000@clifden.donelan.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu



On Tue, 15 Jan 2002, Sean Donelan wrote:
> On Tue, 15 Jan 2002, Tim Devries wrote:
> > Ok, well this is good to know.  Although it still doesn't explain why my
> > firewall is reporting DNS UDP/TCP probes from windowupdate.com on a regular
> > basis.
>
> A couple of possibilities
>    - DNS cache poisoning sending spoofed answers to your DNS server (are
>        you running a current version of BIND or an alternative?)
>    - DDOS attack on windowsupdate.com using spoofed source packets (DNS
>        and HTTP packets can tunnel through most firewall configurations)

Here are examples of the bogus queries I've been seeing.  Since this is
a non-windows machine, it has no reason to query windowsupdate.com for
any purpose.


Jan 14 22:08:47 clifden named[14504]: [ID 295310 daemon.notice] denied
query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN
Jan 14 22:08:47 clifden last message repeated 2 times
Jan 14 23:12:12 clifden named[14504]: [ID 295310 daemon.notice] denied
query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN
Jan 14 23:14:05 clifden last message repeated 5 times
Jan 15 00:24:56 clifden named[14504]: [ID 295310 daemon.notice] denied
query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN
Jan 15 00:24:56 clifden last message repeated 2 times
Jan 15 01:32:20 clifden named[14504]: [ID 295310 daemon.notice] denied
query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN
Jan 15 01:36:13 clifden last message repeated 8 times
Jan 15 01:38:19 clifden named[14504]: [ID 295310 daemon.notice] denied
query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN
Jan 15 01:38:19 clifden last message repeated 2 times
home help back first fref pref prev next nref lref last post