|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Unusual IN ANY DNS Traffic
On Wednesday 11 May 2005 03:57, Simon Waters wrote: > Indeed moderns versions of BIND default to high ports for DNS queries as > well unless configured otherwise. I think old versions of BIND and the odd > firewall product were the main thing doing source port 53 queries. > > I was going to suggest email servers as a possible cause -- I think > probably you'll have to speak to a customer if it still persists. Make sure > they haven't been owned. Might just have been a spam run or mailshot with > "msn.com" as the reply, and you discovering how many email servers are out > there or similar. > I suspect you're correct; these are probably some DSL customers who have "0wn3d" by either a virus or malware and have just been "turned on" to spam domains at "msn.com". Unfortunately we don't do protocol graphs on our major routers or else I would have been able to see a spike of port 25 traffic if it had existed - we just graph our DNS server query which is why I noticed the jump. > I assume your not using something daft like MS DNS server, but a recent > BIND or DJB cache. Also correct; we're running BIND 9.2.2 and I parse the query logs to see what kind of traffic we're getting via the different query types. -Doug -- Douglas E. Warner <[email protected]> Network Engineer CTI Networks, Inc. http://www.ctinetworks.com +1 717 975 9000 Attachment:
pgp00010.pgp
|