RE: What sort of attack is this?

• Previous message: Charles Miller: "Re: Linux server as it own firewall"
• Maybe in reply to: Don Felgar: "What sort of attack is this?"
• Next in thread: James Willmore: "Re: What sort of attack is this?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <C1FE9C26DE0AD511ADCC00010229083014E9CA@mail.lcrcomputer.com>
From: Lyle <Lyle@lcrcomputer.com>
To: 'Don Felgar' <dfelgar@rainierinternet.com>, focus-linux@lists.securityfocus.com
Subject: RE: What sort of attack is this?
Date: Sun, 16 Sep 2001 20:55:26 -0500

I see that kind of stuff here all the time. So I block anything that the
host doesn't need.

It's all part of a circle. Port 53 is DNS. Some implemenations and
versions are vulnerable to security leaks or DOS attacks. I had that
problem when I was running 8.something. There was a version that would fall
over when hit. I was wondering why BIND would just stop responding. Then I
upgraded to version 9 and I keep up with those versions including all of the
release canidates.

As far a legit services, my first rule of thumb is make sure that you are
not running a bad version of whatever. I spend alot of time compiling BIND
each time a new version comes out for instance...

Lyle

-----Original Message-----
From: Don Felgar [mailto:dfelgar@rainierinternet.com]
Sent: Sunday, September 16, 2001 3:19 AM
To: focus-linux@lists.securityfocus.com
Subject: What sort of attack is this?

Hello all,

I've got a couple of related questions

Several times lately my I've seen an apparent bind attack. As you can
see port 53 is blocked on that particular host -- actually the host
isn't running bind anyway. There were 77 attempts to access port 53
from perhaps 20 unrelated hosts over the course of eight seconds.

... stuff deleted ...

  How do you all monitor
the usage of valid services?

Thanks in advance
Don Felgar

• Previous message: Charles Miller: "Re: Linux server as it own firewall"
• Maybe in reply to: Don Felgar: "What sort of attack is this?"
• Next in thread: James Willmore: "Re: What sort of attack is this?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NEWS] IGMP Denial of Service Vulnerability ... We consider different scenarios in which such an attack can be launched. ... Host H1 and H2 are connected to a router R using a hub. ... soliciting for membership reports from the hosts in the network it is ... now R doesn't receive any membership reports for the group ... (Securiteam) Re: Target based IDS review and discussion in Information Security ... > 1) A URL attack is seen by the sensor affecting Windows IIS. ... > each and every step we took to investigate the attack (from IDS ... > impacted host to manually verify if the attack was successful or not. ... Automated forensics are useful and a nice step forward but if the ... (Focus-IDS) The Art of Unspoofing ... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ... (Focus-IDS) The Art of Unspoofing ... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ... (Bugtraq) Re: MiM Simultaneous close attack ... Subject: MiM Simultaneous close attack ... So the packets(dst mac is gg:gg) will goto port3 correctly.(If the same mac presents in two ports,the packets ... >> 2 TCP packets per connection. ... >> to source host and destination host of an active ... (Vuln-Dev)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint