[plug] dns connection attempts

Paul Dean paul at canningcollege.wa.edu.au
Thu Dec 14 10:14:08 WST 2000 

Bill,

Have you recently upgraded to RH 7.0?
If so there is a setting in /etc/named.conf that allows you to tell dns 
auth to go thru IPADD:53, I had the same prob, and just commented this out 
and solved the prob.

Hope this helps




At 08:42 PM 13/12/2000 +0800, you wrote:
>Here an interesting one:
>
>occaisionly I am getting a "spray" of attempts to connect to port 53
>(dns)  ipchains blocks them, but what is causing it?  I presume bad
>guy's, but the pattern is a bit odd.  nmap shows a linux box at each of
>the IP's I have tried, nslookup shows nothing.  nmap shows all machines
>in a "spray" have the same signature, so I surmise that its the same
>machine with multiple IP's (spoofed?)  Other day's, its been a different
>(linux) machine by the signature, but all IP's still give an identical
>signature!  In one case only, all packets had a different source IP, but
>the same outgoing port!
>
>Sample:
>Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
>216.6.49.143:9354 203.59.181.iinet:53 L=73 S=0x00 I=30690 F=0x0000 T=45
>(#80)
>
>Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
>64.78.174.34:2431 203.59.181.iinet:53 L=73 S=0x00 I=28725 F=0x0000 T=46
>(#80)
>
>Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
>209.92.236.2:2012 203.59.181.iinet:53 L=73 S=0x00 I=12109 F=0x0000 T=48
>(#80)
>
>Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
>64.78.156.2:2661 203.59.181.iinet:53 L=73 S=0x00 I=32543 F=0x0000 T=48
>(#80)
>
>Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
>64.70.61.2:2701 203.59.181.iinet:53 L=73 S=0x00 I=12155 F=0x0000 T=48
>(#80)
>
>Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
>64.41.192.103:42540 203.59.181.iinet:53 L=73 S=0x00 I=37650 F=0x0000
>T=47 (#80)
>
>Anyone else had this?  Is there a site that gives details of signatures
>of diffent types of attack? - I havent stumbled across any so far,
>interested in what tools are used and how they are trying to get in.
>
>BillK


Regards

Paul Dean
IT Support Officer
Canning College
Computing Centre
Ph: 9350 5430
Mob: 0408 902 206
paul at canningcollege.wa.edu.au

More information about the plug mailing list