Brad, when you go to Weather.com, do you happen to notice one of those stupid "pop-under" ads from x10.com?
I've checked, double checked, and triple checked this a number of times - the culprit is ads.x10.com. Every time I see this ad, I check my lrp. Consistently, this is the onlysite for me that causes this DNS flood in my logs. Unfortunately, this ad site is attaching to more and more web sites including yahoo and my local small town newspaper site! ----- Original Message ----- From: "Brad Fritz" <[EMAIL PROTECTED]> To: "Robert Williams" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, October 25, 2001 11:58 PM Subject: Re: [Leaf-user] DNS flood? > > On Thu, 25 Oct 2001 17:49:35 PDT Robert wrote: > > > This afternoon I received 292 log items in 6 seconds. > > There was a lot of discussion of these floods on the linux-router > list in late April and May of this year. IIRC, they are response > time measurement probes that are part of a global load-balancing > scheme. Hitting certain web sites ( http://www.weather.com/ for me) > will trigger them. > > I couldn't find a concise description of the scheme (maybe another > subscriber has one?), but if you search the Geocrawler linux-router > archives from May > http://www.geocrawler.com/archives/3/303/2001/5/0/ , > you'll probably find more information. I also vaguely remember > a thread on the Security Focus "incidents" list. I think David > Douthitt, of Oxygen fame, was one of the posters. > > There's an ipfilter.conf hack to prevent logging of them at > http://www.geocrawler.com/mail/msg.php3?msg_id=5930039&list=303 > that you might find useful. > > --Brad > > > > I know that > > port 53 is related to DNS but beyond that I am fairly naive. The log > > analyzer at http://www.echogent.com/cgi-bin/fwlog.pl did not have any > > thin specific to say about these It is interesting to me that all 18 > > of the ips that sent packets did so all with in 6 seconds most of > > them sending exactly 16 packets each. Any help diagnosing this would > > be helpful. If they are harmless I will just make up a ipchains rule > > to not log them. I am using Dachstien rc2. > > Thanks for any insight. > > Robert Williams > > > > > > 292 > > Oct 25 15:51:01 firewall kernel: Packet log: input DENY eth0 PROTO=6 > > 64.14.200.154:17181 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=245 > > (#41) > > Oct 25 15:51:01 firewall kernel: Packet log: input DENY eth0 PROTO=6 > > 209.249.97.40:60302 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=245 > > (#41) > > Oct 25 15:51:01 firewall kernel: Packet log: input DENY eth0 PROTO=6 > > 208.184.162.71:15070 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=246 > > (#41) > > > > <snip> > > > > Oct 25 15:51:07 firewall kernel: Packet log: input DENY eth0 PROTO=6 > > 202.139.133.129:16725 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=243 > > (#41) > > Oct 25 15:51:07 firewall kernel: Packet log: input DENY eth0 PROTO=6 > > 203.208.128.70:32687 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=241 > > (#41) > > > > List of offending IPs > > 194.205.125.26 > > 194.213.64.150 > > 202.139.133.129 > > 203.194.166.182 > > 203.208.128.70 > > 207.55.138.206 > > 208.184.162.71 > > 209.249.97.40 > > 212.78.160.237 > > 216.220.39.42 > > 216.33.35.214 > > 216.34.68.2 > > 216.35.167.58 > > 62.23.80.2 > > 62.26.119.34 > > 64.14.200.154 > > 64.37.200.46 > > 64.56.174.18 > > > > 6 > > 64.78.235.14 > > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
