North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: huh
On Tue, 15 Jan 2002, Sean Donelan wrote: > On Tue, 15 Jan 2002, Tim Devries wrote: > > Ok, well this is good to know. Although it still doesn't explain why my > > firewall is reporting DNS UDP/TCP probes from windowupdate.com on a regular > > basis. > > A couple of possibilities > - DNS cache poisoning sending spoofed answers to your DNS server (are > you running a current version of BIND or an alternative?) > - DDOS attack on windowsupdate.com using spoofed source packets (DNS > and HTTP packets can tunnel through most firewall configurations) Here are examples of the bogus queries I've been seeing. Since this is a non-windows machine, it has no reason to query windowsupdate.com for any purpose. Jan 14 22:08:47 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 14 22:08:47 clifden last message repeated 2 times Jan 14 23:12:12 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 14 23:14:05 clifden last message repeated 5 times Jan 15 00:24:56 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 15 00:24:56 clifden last message repeated 2 times Jan 15 01:32:20 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 15 01:36:13 clifden last message repeated 8 times Jan 15 01:38:19 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 15 01:38:19 clifden last message repeated 2 times
|