Re: Flood of bad DNS queries

From: Jacques Bourdeau (J_Bourdeau_at_videotron.ca)
Date: 12/04/03

  • Next message: Mike Lyman: "Re: Flood of bad DNS queries" 
    Date: Wed, 03 Dec 2003 22:03:15 -0500
To: Brett Glass <brett@lariat.org>

    Hi,

    here, I blocked four /24 networks from Microsoft. 207.46.49.0/24 is one
    of them. It begun during lasts days of september.

    207.46.7 / 24
    207.46.242 / 24
    207.46.76 / 24
    207.46.49 / 24

    All of them are blocked on the firewall and can not access any service
    on our network.

    They are now blocked from 2 months and they continue to fulfil the log.
    Even after being dropped for months, they continue to try to connect.

    We also sent a message to abuse@microsoft, but as expected, we did not
    received any answer or reaction.

    Just do as I did : drop all access from them on your firewall and keep
    them out of your system.

    Jacques Bourdeau, security eng.

    Brett Glass wrote:

    >Our logs are filling with reports of bogus queries which ask machines to do reverse lookups on their own IP addresses (backwards, with .in-addr.arpa appended, as is the usual convention). The queries are being addressed to machines which are not domain name servers and/or are not intended to serve queries from the outside world.
    >
    >We're also seeing large numbers of requests to resolve ".".
    >
    >Ironically, many of these requests are coming from addresses such as 207.46.49.152,
    >which belongs to MSN. (It's unclear whether machines at Microsoft have been
    >infected, or if the queries are coming from a user logged into MSN.)
    >
    >What worm or Trojan is causing this? What vulnerability is being attacked here?
    >
    >--Brett Glass
    >
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Mike Lyman: "Re: Flood of bad DNS queries"

    Relevant Pages

    • Re: File Sharing Windows 98 with Windows XP SP2
      ... >File and printer sharing for Microsoft Networks. ... >On my PC with winXP SP2, the following were installed; Client for Microsoft ... Built-in firewall for winXP active with NetBIOS and File ... Invest in a good WAN router, ...
      (microsoft.public.windowsxp.network_web)
    • Re: error messages for msn remote record service
      ... Today is my day OFF.Yesterday I contact MSN support again same guy ... called Microsoft they told me they don't deal with MCE and MSN ... service.No firewall not even Microsoft firewall .....So now WHO can ...
      (microsoft.public.windows.mediacenter)
    • cant open secure sites after installing firewall
      ... Hey. ... The other day I set up the firewall that comes with ... Microsoft XP. ... log into MSN or open up various secure sites, ...
      (microsoft.public.windowsxp.general)
    • Re: help me rid this virus please
      ... Either SASSER or BLASTER.. ... the Microsoft provided information on the matter can be ... ** You MUST have Windows XP SP1a installed FIRST! ... You should at least turn on the built in firewall. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Worm blaster remover program.
      ... the Microsoft provided information on the matter can be ... ** You MUST have Windows XP SP1a installed FIRST! ... After enabling the Internet Connection Firewall or creating the read-only ... install the MS04-011 patch from the MS04-011 download link for the affected ...
      (microsoft.public.windowsupdate)