Hi, Netman wrote:
From your logs, packets seems to be coming from your ISP's DNS port 53, to a unpriviledged port of your DNS server.Every so often (every few days or weeks), I get 2 straight hours of alarms for packets attempting to come in on Port 53.
my guess: You have an http server or smthg like that that is configured for off-peak hours DNS resolution of its log files. So it's sending a lot of DNS queries to your DNS that forwards it to your ISP server, and these attemps are late replies...
Rgds,
--
Emmanuel C.
There could be thousands of
these during the attack, coming in at the rate of 20 or so per minute. The
odd thing is, they appear to be coming from my ISP. I have a DNS server set
up for name resolution on the lan. Is there any way these packets could be
something I did, or should I shake down my ISP some more? 209.198.87.40 is
my ISP and the apparent sending address of all these packets. xxx.242 is
the external address of my DNS server (and my email server).
ALARM NO: 1
DATE: Wednesday, Oct 30, 2002
TIME: 14:16:03
INTERFACE: EXTERNAL (fxp1)
INTERFACE TYPE: External
ALARM TYPE: Block
IP PACKET: UDP [209.198.87.40/53]-->[xxx.xxx.xxx.242/30571] l=43
[clover.sover.net/domain]-->[mail.blablabla.com/30571]
DETAILED DESCRIPTION:
IP packet was rejected.
Thanks,
Ken Hewitt, MIS Manager
Nexus Custom Electronics, Brandon, VT
[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
http://www.mail-archive.com/gb-users@;gta.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/gb-users@;gta.com
