"Tony Toews [MVP]" <tto...@telusplanet.net> wrote: >As far as I can tell from the same 5 or 20 IP addresses. I haven't seen these >lines >before.
When I analyzed todays log I got three IP address. 204.15.80.50 might be smtp9.soma.ironport.com 63.217.28.226 might be Network solutions according to the below SlashDot article. 76.9.16.171 is mentioned at http://isc.sans.org/diary.html?storyid=5713 Ah, I think I see what is happening here. Searching at the below article for 63.217.28.226 http://tech.slashdot.org/tech/09/01/24/0113210.shtml shows a reply stating: "The problem seems to kick in for DNS servers that arent rejecting the queries. Someone is channeling ye 'ole smurfing methods. They're requesting a list of all DNS root servers. If the server don't reject the query, a 17 byte query becomes a 50k response (or something like that) to the spoofed address." Tony -- Tony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips & Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
