Flood of bad DNS queries
From: Brett Glass (brett_at_lariat.org)
Date: 12/03/03
- Previous message: Matthew Leeds: "Re: Anyone seen tgcmd.exe before?"
- Next in thread: Kurt Seifried: "Re: Flood of bad DNS queries"
- Reply: Kurt Seifried: "Re: Flood of bad DNS queries"
- Reply: Jacques Bourdeau: "Re: Flood of bad DNS queries"
- Reply: Mike Lyman: "Re: Flood of bad DNS queries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 03 Dec 2003 13:41:51 -0700 To: incidents@securityfocus.com
Our logs are filling with reports of bogus queries which ask machines to do reverse lookups on their own IP addresses (backwards, with .in-addr.arpa appended, as is the usual convention). The queries are being addressed to machines which are not domain name servers and/or are not intended to serve queries from the outside world.
We're also seeing large numbers of requests to resolve ".".
Ironically, many of these requests are coming from addresses such as 207.46.49.152,
which belongs to MSN. (It's unclear whether machines at Microsoft have been
infected, or if the queries are coming from a user logged into MSN.)
What worm or Trojan is causing this? What vulnerability is being attacked here?
--Brett Glass
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Matthew Leeds: "Re: Anyone seen tgcmd.exe before?"
- Next in thread: Kurt Seifried: "Re: Flood of bad DNS queries"
- Reply: Kurt Seifried: "Re: Flood of bad DNS queries"
- Reply: Jacques Bourdeau: "Re: Flood of bad DNS queries"
- Reply: Mike Lyman: "Re: Flood of bad DNS queries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
