After Emmanuel's message I re-read your original message and saw that I had missed the part about sover.net being your ISP.
In that case, they probably need to do something to address the slow response times of their DNS server. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Mike Burden > Sent: Wednesday, October 30, 2002 2:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [gb-users] DNS Attacks > > > $ whois sover.net > [...] > Name Server: CLOVER.SOVER.NET > > Clover is a DNS server for sover.net. It's quite > possible that these are late replies to a DNS request > that originated from within your network. > > In either case, the issue is probably not the result > of your configuration, and not something that your > ISP is in a position to do anything about. > > I have a series of filter rules set up to block > late replies to various services. I've posted them > to the group at least twice, so they should be in > the archives. They're similar to the default > "Block/nolog stale HTTP" filter. > > Mike Burden > Lynk Systems > http://www.lynk.com > (616)532-4985 > [EMAIL PROTECTED] > > > > -----Original Message----- > > From: Netman [mailto:kenh@;nexuscei.com] > > Sent: Wednesday, October 30, 2002 2:23 PM > > To: [EMAIL PROTECTED] > > Subject: [gb-users] DNS Attacks > > > > > > Every so often (every few days or weeks), I get 2 straight > > hours of alarms > > for packets attempting to come in on Port 53. There could be > > thousands of > > these during the attack, coming in at the rate of 20 or so > > per minute. The > > odd thing is, they appear to be coming from my ISP. I have a > > DNS server set > > up for name resolution on the lan. Is there any way these > > packets could be > > something I did, or should I shake down my ISP some more? > > 209.198.87.40 is > > my ISP and the apparent sending address of all these packets. > > xxx.242 is > > the external address of my DNS server (and my email server). > > > > ALARM NO: 1 > > DATE: Wednesday, Oct 30, 2002 > > TIME: 14:16:03 > > INTERFACE: EXTERNAL (fxp1) > > INTERFACE TYPE: External > > ALARM TYPE: Block > > IP PACKET: UDP > > [209.198.87.40/53]-->[xxx.xxx.xxx.242/30571] l=43 > > > > [clover.sover.net/domain]-->[mail.blablabla.com/30571] > > > > DETAILED DESCRIPTION: > > IP packet was rejected. > > > > Thanks, > > > > Ken Hewitt, MIS Manager > > Nexus Custom Electronics, Brandon, VT > > [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > To subscribe to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > Archive of the last 1000 messages: > > http://www.mail-archive.com/gb-users@;gta.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/gb-users@;gta.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/gb-users@;gta.com
