RE: VPN connection attempts to resolvers?

From: Toni Heinonen (Toni.Heinonen@teleware.fi)
Date: 04/04/02


Date: Thu, 4 Apr 2002 19:54:05 +0300
From: "Toni Heinonen" <Toni.Heinonen@teleware.fi>
To: "Mike Lewinski" <mike@rockynet.com>, <incidents@securityfocus.com>


> We've observed what appear to be attempts to establish a VPN
> connection to
> our caching-only resolvers. I have commented each of the
> packet dumps below.
> None of our nameservers provide any VPN services, and never have.
>
> Since I am not a VPN expert, I'm wondering if anyone else can
> shed some
> light on what might be going on here. Is this just a
> brain-dead VPN client
> that's making bad assumptions about it's resolvers? Or is
> there something
> more malicious going on? The traffic was picked up after a
> SYN flood to one
> of the DNS servers led to further investigation.

Hello!

This matter has been previously discussed. Please see
http://lists.jammed.com/incidents/2002/01/0175.html

HTH,
TONI HEINONEN, CISSP
   TELEWARE OY
   Telephone +358 (9) 3434 9123 * Fax +358 (9) 3431 321
   Wireless +358 40 836 1815
   Kauppakartanonkatu 7, 00930 Helsinki, Finland
   toni.heinonen@teleware.fi * www.teleware.fi

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com