Re: BIND scan from Wanadoo.fr
From: Mike Arnold (MKArnold@tesco.net)Date: 08/17/02
- Previous message: dave@immunitysec.com: "Re: sql 1433"
- In reply to: Baribault, Gary: "Re: BIND scan from Wanadoo.fr"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mike Arnold <MKArnold@tesco.net> To: "Baribault, Gary" <gary@baribault.net>, WebMaster@rbfcu.org Date: Sat, 17 Aug 2002 02:30:34 +0100
On Friday 16 Aug 2002 5:31 pm, you wrote:
> I have seen them scan for misconfigured TP servers all the time .. and I
> block that on all of my firewalls, I think we all know when they add a new
> subnet, we get scanned and add it to our list of Wanadoo .. but what I'm
> saying is that this is the first time I see them originate high port and
> scan the destination port 53 .. that is what is new.
I'm consistently getting scans of this nature from various subnets around the
world. Not traced them back to source since they appeared to be just "noise".
However, they always come on the back of a DNS cache lookup, much like the
"speedera pings" that attempt to route you through to the fastest DNS server.
Not looked into any deeper than that. I have traced the odd one back to a
subnet in Asia (I think), but not carried out a scientific analysis. I have
the logs to go back through at some stage to see if they are consistently
coming from the same region. A big yippee for SamSpade, makes life so much
easier.
Only other thing that appears consistent is that they come in clumps. Never a
solitary scan, always about 6 from various IPs on different subnets. Often
they come as a clump of pings from 6 addresses followed by a clump of DNS
scans from the same IPs. Couldn't explain it, but had other things to worry
about so I never looked any deeper. Things are quietening off so I may do
some studies of them.
On a 2 hour re-connect dialup (yeah, I'm one of those that can't yet get
broadband *sigh*) I've had almost 900 of these in the last month - 2 weeks of
which the firewall was turned off due to holidays. Prior to that I hadn't got
a DNS cache so I couldn't say.
Hope that helps.
Mike
-- "In their capacity as a tool, computers will be but a ripple on the surface of our culture. In their capacity as intellectual challenge, they are without precedent in the cultural history of mankind." Edsger Wybe Dijkstra on Computers---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: dave@immunitysec.com: "Re: sql 1433"
- In reply to: Baribault, Gary: "Re: BIND scan from Wanadoo.fr"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
