Re: Flood of bad DNS queries
From: Mike Lyman (mlyman-security_at_comcast.net)
Date: 12/04/03
- Previous message: Jacques Bourdeau: "Re: Flood of bad DNS queries"
- In reply to: Brett Glass: "Flood of bad DNS queries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Wed, 03 Dec 2003 19:49:54 -0600
On Wed, 2003-12-03 at 14:41, Brett Glass wrote:
> What worm or Trojan is causing this? What vulnerability is being attacked here?
My guess is a newly installed 3DNS load balancer from F5. Back at
Microsoft we used to get lots of reports of this. So much so that we
contemplated many a late night mission into the data centers with wire
cutters :-) (As the former abuse@microsoft.com, I got quite a few of
the reports peronsally.)
3DNS is fairly intrusive in its default configuration and uses DNS like
traffic to try to determine which data center you are logically closest
to and route you there. It also periodically retests even if no client
in your network is currently connecting to the systems using 3DNS. Sets
off lots of IDS and firewall alarms. It can be configured so that it
does not set of so many alarms.
-- Mike Lyman pgp keyid 0xAB7F35DA
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Jacques Bourdeau: "Re: Flood of bad DNS queries"
- In reply to: Brett Glass: "Flood of bad DNS queries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
