It is coming from quite a few ip addresses. Guess there is really nothing to do about it since the gnatbox is catching it. It is just an annoyance examining my log file and seeing all of the traffic they are producing.
Thanks for your help Randy Haley -----Original Message----- From: Mike Burden [mailto:[EMAIL PROTECTED]] Sent: Friday, December 06, 2002 9:41 AM To: [EMAIL PROTECTED] Subject: RE: [gb-users] UDP Port 53 traffic My site and all of my Customers' sites have been taking enormous amounts of hits on port 53 since the last few rounds of BIND vulnerabilities. Chalk it up to "way too many kids with too much time on their hands". Stupid script kiddies barely know an IP Address from a NETBIOS name, but they can find the blackhat site that gives them step-by-step instructions on port scanning, and then they think they're really l337 h4x0r5 ("elite hackers" for those who have more than half a brain, and thus don't speak 'leetspeak). Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: david raistrick [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 06, 2002 10:28 AM > To: Randy Haley > Cc: [EMAIL PROTECTED] > Subject: Re: [gb-users] UDP Port 53 traffic > > > On Fri, 6 Dec 2002, Randy Haley wrote: > > > 2002-12-06 15:07:30 Filter: RAF (45) block - Warning UDP > > (207.46.150.12:2562) => (63.71.36.1:53) dc0 l=41 > > > Interesting that 207.46.150.12 is contained in a microsoft allocated > network.. > > Are these log messages all sourced from the same IP or from > many different > addresses? > > It's possible that someone (perhaps whoever configured > 207.46.150.12) has > set their workstation or server to use 63.71.36.1 as a resolving DNS > server....this could be something as simple as a typo that caused it. > > > If you're seeing these from many different IP addresses, > however, you may > want to consider the recent BIND exploits. It may be as > simple as a bunch > of scriptkiddies scanning you, looking for a place to play. > > > If you wanted to see what questions were being asked if you, you could > use a sniffer on your external network (tcpdump, ethereal, > etc) to look at > the contents of the queries being made. > > ...david > --- > David Raistrick > Systems Administrator - Global Technology Associates, Inc > [EMAIL PROTECTED] > Disclaimer: All opinions expressed are the opinions of > David Raistrick, not necessarily those of GTA, Inc. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/[email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
