[nsp-sec] Suspicious DNS Activity
John Fraizer
john at op-sec.us
Thu Jul 31 14:06:14 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Krista Hickey wrote:
| ----------- nsp-security Confidential --------
|
| Maybe I missed a thread somewhere but my netflow samples show this
| activity significantly rolling back approx 01:50 EDT and then dropping
| off the radar altogether just before 02:00 EDT. Anyone else seeing that?
|
| Krista
| 7992
The last flow I see from them is 2008-07-31 05:54:52.856 UTC
These almost have to be spoofed source address from a lot of hosts participating based on the splay of scanning and the packet rates I saw on our network alone. Perhaps a
bunch of machines anycast addressed on 194.85.88.199 to collect responses sent back?
John
AS11456
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with PCLinuxOS - http://enigmail.mozdev.org
iD8DBQFIkf8W+16lRpJszIgRAs+CAJ0brTFFwDJOYV7tI2bi7IBdeuCLowCfX1KB
j0ajI6jJlRvvQ7S3S1RbHrs=
=L1Hn
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list