RE: Suspicious Deny's

Dan McGinn-Combs Tue, 20 Mar 2001 06:01:38 -0800
We have experienced several attempts to kill our nameservers over the passed
few weeks. The first  one was successful. I've noticed in my logs that there
are a number of hits against all our registered DNS boxes... typically a TCP
attack looking for a reverse lookup in rapid succession. In an "older"
version of BIND it apparently caused a NAMED to core dump.

Dan

-----Original Message-----
From: Andy Haigh [mailto:[EMAIL PROTECTED]]
Sent: Mon, March 19, 2001 10:32 PM
To: Firewall List (E-mail)
Subject: Suspicious Deny's


We have been logging these DNS requests on our ipchains firewall, this
firewall does not provide any DNS services. Is this suspicious? In that the
source that the requests are coming from are on such high port numbers and
the speed of the requests.

Mar 20 09:43:41 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1535 203.41.84.7:53 L=60 S=0x00 I=58708 F=0x4000 T=43 SYN
(#13) 
Mar 20 09:43:41 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1536 203.41.84.8:53 L=60 S=0x00 I=58709 F=0x4000 T=43 SYN
(#13) 
Mar 20 09:43:41 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1537 203.41.84.9:53 L=60 S=0x00 I=58710 F=0x4000 T=44 SYN
(#13) 
Mar 20 09:43:41 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1538 203.41.84.10:53 L=60 S=0x00 I=58711 F=0x4000 T=43 SYN
(#13) 
Mar 20 09:43:42 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1539 203.41.84.11:53 L=60 S=0x00 I=58747 F=0x4000 T=44 SYN
(#13) 
Mar 20 09:43:42 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1540 203.41.84.12:53 L=60 S=0x00 I=58748 F=0x4000 T=43 SYN
(#13) 
Mar 20 09:43:44 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1535 203.41.84.7:53 L=60 S=0x00 I=58943 F=0x4000 T=43 SYN
(#13) 
Mar 20 09:43:44 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1536 203.41.84.8:53 L=60 S=0x00 I=58944 F=0x4000 T=43 SYN
(#13) 
Mar 20 09:43:44 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1537 203.41.84.9:53 L=60 S=0x00 I=58945 F=0x4000 T=43 SYN
(#13) 
Mar 20 09:43:44 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1538 203.41.84.10:53 L=60 S=0x00 I=58946 F=0x4000 T=43 SYN
(#13) 
Mar 20 09:43:44 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1539 203.41.84.11:53 L=60 S=0x00 I=58972 F=0x4000 T=44 SYN
(#13) 
Mar 20 09:43:44 firewall kernel: Packet log: input DENY eth1 PROTO=6
202.39.29.162:1540 203.41.84.12:53 L=60 S=0x00 I=58973 F=0x4000 T=43 SYN
(#13) 

I await your thoughts.

Thanks

Andy

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
RE: Suspicious Deny's

Reply via email to
