[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200408040204.i74241n27690@singularity.tronunltd.com>
From: Ian.Latter at mq.edu.au (Ian Latter)
Subject: FW: Question for DNS pros
I've been flat out here -- but I've tried to stay on this thread ..
Are you guys sure that this isn't the server end of the
ip-over-dns software (nstxd) trying to get data back to the
now non-existent client?
It would have made it through your statefull kit if it was
initiated from that problem address of yours (Paul), originally.
The only thing I see not being consistent with the nstx stuff
is the multiple sources/channels ... but that doesn't mean
that there couldn't have been multiple connections from the
problem address, or a multi-terminating version of the client/
server software .. (a dns hub of sorts).
----- Original Message -----
>From: "Ron DuFresne" <dufresne@...ternet.com>
>To: "Paul Schmehl" <pauls@...allas.edu>
>Subject: Re: FW: [Full-Disclosure] Question for DNS pros
>Date: Tue, 03 Aug 2004 11:29:55 -0500
>
>
> [SNIP]
>
> > >
> > Mine are identical to yours. Same host, same src port, same types of
> > packets, same ttl, same len) Whatever this is is obviously crafted from
> > some sort of script. The only thing I can think of is recon. If someone
> > has any bright ideas, speak up.
> >
>
> I think Frank mentioned the packets being like 2048 in size, and this
> makes me wonder if it's a tad more then mere recon. Might be trying to
> exploit or develope an exploit for bind. and might be a tool in progress
> for a specific bind OS combo.
>
> But, I find just tossing the offenders into the "not allowed" list of
> entowrk addresses reduces the log fluff as well as hinder progressive
> testing, for them, at least off my networks.
>
>
>
> Thanks,
>
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
Ian Latter
Internet and Networking Security Officer
Macquarie University
Powered by blists - more mailing lists