[plug] dns connection attempts

[Christian]

On Wed, Dec 13, 2000 at 08:42:11PM +0800, Bill Kenworthy wrote:
> Here an interesting one:
> 
> occaisionly I am getting a "spray" of attempts to connect to port 53
> (dns)  ipchains blocks them, but what is causing it?  I presume bad
> guy's, but the pattern is a bit odd.  nmap shows a linux box at each of
> the IP's I have tried, nslookup shows nothing.  nmap shows all machines
> in a "spray" have the same signature, so I surmise that its the same
> machine with multiple IP's (spoofed?)  Other day's, its been a different
> (linux) machine by the signature, but all IP's still give an identical
> signature!  In one case only, all packets had a different source IP, but
> the same outgoing port!

It's almost certainly someone looking for the remote root hole in some
previous versions of BIND that shipped installed by default on a number
of Linux systems.

As for the changing IP addresses, perhaps the attacker is using a number
of machines to do his probing with and he's misconfigured them to all
check the same blocks of IPs.

I'm not sure what you mean by "same signature".  I don't see how you
surmise it's the same machine.  If the IPs were spoofed your attempts to
contact them would likely go to the victim of the spoofing, not the
machine from which it was done.

> Anyone else had this?  Is there a site that gives details of signatures
> of diffent types of attack? - I havent stumbled across any so far,
> interested in what tools are used and how they are trying to get in.

What signature are you referring to now?  It seems to be a different
meaning to your usage above!  If you mean an IDS signature then this
usually varies from IDS to IDS.  Contact your vendor or do a search on
the web.