Search Again: Re: query attack? From: Men & Mice Support Date: Friday, November 24, 2000 Time: 11:46:01 pm OK, so something is insistently asking for a bogus reverse record. I say bogus because, though it looks like something that might be used in a classless subnet reverse zone, there aren't enough labels for that. And the source ports are the same for each source IP - in other words, neither apparent machine is incrementing the source port for successive queries. This tells you that the source of these requests is not a TCP/IP stack looking to resolve something, nor is it a standard query tool. There are enough suspicious things here that I'd guess it's an attack. Either the guy you talked to was lying (quite possible), or the source IP is being spoofed, too. Unfortunately, I'm not experienced at fending off such attacks; I have no helpful advice for you. Good luck. ____________________________________________________________________ Chris Buxton Men & Mice cbuxton@menandmice.com We Make DNS Easy! At 6:12 PM -0700 11/24/00, Cameron Knowlton wrote: >Our DNS server, 209.91.91.194, is getting hit about once a second by >a request that looks pretty weird. > >A snippet of the detailed QuickDNS log shows: > >Query: "194.192-27.91.91.in-addr.arpa." - requested from >"207.67.172.150:65534" >Query: "194.192-27.91.91.in-addr.arpa." - requested from >"207.67.172.150:65534" >Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668" >Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668" >Query: "194.192-27.91.91.in-addr.arpa." - requested from >"207.67.172.150:65534" >Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668" >Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668" >Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668" >Query: "194.192-27.91.91.in-addr.arpa." - requested from >"207.67.172.150:65534" >Query: "194.192-27.91.91.in-addr.arpa." - requested from >"207.67.172.150:65534" >Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668" > > >Am I under attack? or does QuickDNS have the hiccups? > >I've spoken with the tech at 207.67.172.150 (uia.net), he's >extremely high level, had been programming firewalls for years, and >has never seen anything like this before. According to him, his >system (207.67.172.150) is *NOT* the one generating the queries. > >Any thoughts? My mind's become oatmeal. > >Cameron Knowlton >cameronk@macgods.com

Messages In This Thread: query attack? by Cameron Knowlton on Nov 24, 2000 at 5:13:39 pm Re: query attack? by Men & Mice Support on Nov 24, 2000 at 11:46:01 pm