Unusual IN ANY DNS Traffic
Douglas E. Warner
dwarner at ctinetworks.com
Wed May 11 11:44:29 UTC 2005
On Wednesday 11 May 2005 03:57, Simon Waters wrote:
> Indeed moderns versions of BIND default to high ports for DNS queries as
> well unless configured otherwise. I think old versions of BIND and the odd
> firewall product were the main thing doing source port 53 queries.
>
> I was going to suggest email servers as a possible cause -- I think
> probably you'll have to speak to a customer if it still persists. Make sure
> they haven't been owned. Might just have been a spam run or mailshot with
> "msn.com" as the reply, and you discovering how many email servers are out
> there or similar.
>
I suspect you're correct; these are probably some DSL customers who have
"0wn3d" by either a virus or malware and have just been "turned on" to spam
domains at "msn.com". Unfortunately we don't do protocol graphs on our major
routers or else I would have been able to see a spike of port 25 traffic if
it had existed - we just graph our DNS server query which is why I noticed
the jump.
> I assume your not using something daft like MS DNS server, but a recent
> BIND or DJB cache.
Also correct; we're running BIND 9.2.2 and I parse the query logs to see what
kind of traffic we're getting via the different query types.
-Doug
--
Douglas E. Warner <dwarner at ctinetworks.com> Network Engineer
CTI Networks, Inc. http://www.ctinetworks.com +1 717 975 9000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050511/110041f3/attachment.sig>
More information about the NANOG
mailing list