I've been flat out here -- but I've tried to stay on this thread .. Are you guys sure that this isn't the server end of the ip-over-dns software (nstxd) trying to get data back to the now non-existent client?
It would have made it through your statefull kit if it was initiated from that problem address of yours (Paul), originally. The only thing I see not being consistent with the nstx stuff is the multiple sources/channels ... but that doesn't mean that there couldn't have been multiple connections from the problem address, or a multi-terminating version of the client/ server software .. (a dns hub of sorts). ----- Original Message ----- >From: "Ron DuFresne" <[EMAIL PROTECTED]> >To: "Paul Schmehl" <[EMAIL PROTECTED]> >Subject: Re: FW: [Full-Disclosure] Question for DNS pros >Date: Tue, 03 Aug 2004 11:29:55 -0500 > > > [SNIP] > > > > > > Mine are identical to yours. Same host, same src port, same types of > > packets, same ttl, same len) Whatever this is is obviously crafted from > > some sort of script. The only thing I can think of is recon. If someone > > has any bright ideas, speak up. > > > > I think Frank mentioned the packets being like 2048 in size, and this > makes me wonder if it's a tad more then mere recon. Might be trying to > exploit or develope an exploit for bind. and might be a tool in progress > for a specific bind OS combo. > > But, I find just tossing the offenders into the "not allowed" list of > entowrk addresses reduces the log fluff as well as hinder progressive > testing, for them, at least off my networks. > > > > Thanks, > > Ron DuFresne > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- Ian Latter Internet and Networking Security Officer Macquarie University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
