[80719] in North American Network Operators' Group
Re: Unusual IN ANY DNS Traffic
daemon@ATHENA.MIT.EDU (Douglas E. Warner)
Wed May 11 07:45:06 2005
From: "Douglas E. Warner" <dwarner@ctinetworks.com>
To: nanog@merit.edu
Date: Wed, 11 May 2005 07:44:29 -0400
Cc: Simon Waters <simonw@zynet.net>
In-Reply-To: <1115798280.8199.TMDA@mercury.zynet.net>
Errors-To: owner-nanog@merit.edu
--nextPart11644021.4um7hekEQX
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Wednesday 11 May 2005 03:57, Simon Waters wrote:
> Indeed moderns versions of BIND default to high ports for DNS queries as
> well unless configured otherwise. I think old versions of BIND and the odd
> firewall product were the main thing doing source port 53 queries.
>
> I was going to suggest email servers as a possible cause -- I think
> probably you'll have to speak to a customer if it still persists. Make su=
re
> they haven't been owned. Might just have been a spam run or mailshot with
> "msn.com" as the reply, and you discovering how many email servers are out
> there or similar.
>
I suspect you're correct; these are probably some DSL customers who have=20
"0wn3d" by either a virus or malware and have just been "turned on" to spam=
=20
domains at "msn.com". Unfortunately we don't do protocol graphs on our maj=
or=20
routers or else I would have been able to see a spike of port 25 traffic if=
=20
it had existed - we just graph our DNS server query which is why I noticed=
=20
the jump.
> I assume your not using something daft like MS DNS server, but a recent
> BIND or DJB cache.
Also correct; we're running BIND 9.2.2 and I parse the query logs to see wh=
at=20
kind of traffic we're getting via the different query types.
=2DDoug
=2D-=20
Douglas E. Warner <dwarner@ctinetworks.com> Network Engineer
CTI Networks, Inc. http://www.ctinetworks.com +1 717 975 9000
--nextPart11644021.4um7hekEQX
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQBCgfAeJV36su0A0xIRAlt1AJ0WY4FehwPPWqXWI0VcKV33ZKjnRQCfdUJ8
RB/wLQ0Dt1/27IpsLcKpd/8=
=hcY8
-----END PGP SIGNATURE-----
--nextPart11644021.4um7hekEQX--