[nsp-sec] Suspicious DNS Activity
White, Gerard
Gerard.White at aliant.ca
Thu Jul 31 12:29:13 EDT 2008
So if it is _scanning_ across /8's, perhaps we have a crew "building"
a list of responsive servers, then? Odd that they're not being stealthy
about it, though... weird.
Oh yeah, for some strange reason, that /32 doesn't work inside our ASN
anymore... :)
GW
855 - Bell Aliant
> -----Original Message-----
> From: Rob Thomas [mailto:robt at cymru.com]
> Sent: Thursday, July 31, 2008 1:50 PM
> To: White, Gerard
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] Suspicious DNS Activity
>
> Hey, Gerard.
>
> It looks like it began those scans on or about 2008-07-29 00:18:59
UTC,
> with the vigorous scanning starting around 2008-07-29 01:03:01 UTC.
It
> started with UDP 53 visits to 193/8, 194/8, and 141/8 it seems.
>
> It's receiving a lot of ICMP port unreachable messages, not
surprisingly.
>
> Thanks,
> Rob.
>
>
> White, Gerard wrote:
> > ----------- nsp-security Confidential --------
> >
> > Greetings.
> >
> > The following source is doing a continuious, repetitive Type 255
> > (Request all records) request
> > to the tune of 10-30 QPS on some of our patched servers:
> >
> > AS | IP | AS Name
> > 25535 | 194.85.88.199 | ASN-RUCENTER-HOSTING Hosting Traffic
> > exchange
> >
> > GW
> > 855 - Bell Aliant
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> > community. Confidentiality is essential for effective Internet
security counter-measures.
> > _______________________________________________
>
> --
> Rob Thomas
> Team Cymru
> The WHO and WHY team
> http://www.team-cymru.org/
More information about the nsp-security
mailing list