[nsp-sec] FW: Suspicious DNS Activity
Krista Hickey
Krista.Hickey at cogeco.com
Thu Jul 31 12:40:53 EDT 2008
Excessive apologies for the misaddress of this email to -disuss, just
reinstalled outlook and auto-complete is turned on by default.
I can't apologize enough.
Krista
7992
-----Original Message-----
From: Krista Hickey
Sent: Thursday, July 31, 2008 12:39 PM
To: nsp-security-discuss at puck.nether.net
Subject: RE: [nsp-sec] Suspicious DNS Activity
Maybe I missed a thread somewhere but my netflow samples show this
activity significantly rolling back approx 01:50 EDT and then dropping
off the radar altogether just before 02:00 EDT. Anyone else seeing that?
Krista
7992
>-----Original Message-----
>From: nsp-security-bounces at puck.nether.net
>[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
>Sent: Thursday, July 31, 2008 12:20 PM
>To: White, Gerard
>Cc: nsp-security NSP
>Subject: Re: [nsp-sec] Suspicious DNS Activity
>
>----------- nsp-security Confidential --------
>
>Hey, Gerard.
>
>It looks like it began those scans on or about 2008-07-29
>00:18:59 UTC, with the vigorous scanning starting around
>2008-07-29 01:03:01 UTC. It started with UDP 53 visits to 193/8,
>194/8, and 141/8 it seems.
>
>It's receiving a lot of ICMP port unreachable messages, not
>surprisingly.
>
>Thanks,
>Rob.
>
>
>White, Gerard wrote:
>> ----------- nsp-security Confidential --------
>>
>> Greetings.
>>
>> The following source is doing a continuious, repetitive Type 255
>> (Request all records) request to the tune of 10-30 QPS on
>some of our
>> patched servers:
>>
>> AS | IP | AS Name
>> 25535 | 194.85.88.199 | ASN-RUCENTER-HOSTING Hosting Traffic
>> exchange
>>
>> GW
>> 855 - Bell Aliant
>>
>>
More information about the nsp-security
mailing list