[nsp-sec] Suspicious DNS Activity
Rob Thomas
robt at cymru.com
Thu Jul 31 12:19:33 EDT 2008
Hey, Gerard.
It looks like it began those scans on or about 2008-07-29 00:18:59 UTC,
with the vigorous scanning starting around 2008-07-29 01:03:01 UTC. It
started with UDP 53 visits to 193/8, 194/8, and 141/8 it seems.
It's receiving a lot of ICMP port unreachable messages, not surprisingly.
Thanks,
Rob.
White, Gerard wrote:
> ----------- nsp-security Confidential --------
>
> Greetings.
>
> The following source is doing a continuious, repetitive Type 255
> (Request all records) request
> to the tune of 10-30 QPS on some of our patched servers:
>
> AS | IP | AS Name
> 25535 | 194.85.88.199 | ASN-RUCENTER-HOSTING Hosting Traffic
> exchange
>
> GW
> 855 - Bell Aliant
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list