Sending UDP spam
Jamie
jamie at gnulife.org
Wed Sep 24 17:24:47 UTC 2003
Someone on one of the networks we have authority for (do reverse
in-addr.arpa lookups for) is reporting that our nameserver is sending them
messages in their security logs that look like this:
>From 100.100.2.2 - 118 packets
To 100.80.2.23 - 118 packets
Service: 49000 (udp/49000) (iptables:,eth0,none) - 1 packet
Service: 49003 (udp/49003) (iptables:,eth0,none) - 1 packet
Service: 49026 (udp/49026) (iptables:,eth0,none) - 1 packet
Service: 49161 (udp/49161) (iptables:,eth0,none) - 1 packet
Service: 49275 (udp/49275) (iptables:,eth0,none) - 1 packet
Service: 49276 (udp/49276) (iptables:,eth0,none) - 1 packet
Service: 49568 (udp/49568) (iptables:,eth0,none) - 1 packet
Service: 49569 (udp/49569) (iptables:,eth0,none) - 1 packet
Service: 49570 (udp/49570) (iptables:,eth0,none) - 1 packet
Service: 49572 (udp/49572) (iptables:,eth0,none) - 1 packet
Service: 49726 (udp/49726) (iptables:,eth0,none) - 2 packets
<....etc...>
We are running bind 8.3.4-REL. Does anyone have any idea why they
might be getting this in their logs? Here is the lions share of our
named.conf file:
// generated by named-bootconf.pl
options {
directory "/etc/namedb";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
forwarders { 135.190.241.5; };
allow-transfer {
localhost;
199.89.30.2;
199.89.35.3;
208.35.158.65;
199.89.42/24;
206.8.241/24;
};
};
(Ip's have been changed for security purposes)
I can't seem to find any reason for this. Thanks!
- Jamie
"A friend is someone who lets you have total freedom to be yourself."
More information about the bind-users
mailing list