What are these entries in the log file - " query: . IN NS +"?
Tony Toews [MVP]
ttoews at telusplanet.net
Tue Jan 27 04:03:24 UTC 2009
"Tony Toews [MVP]" <ttoews at telusplanet.net> wrote:
>As far as I can tell from the same 5 or 20 IP addresses. I haven't seen these lines
>before.
When I analyzed todays log I got three IP address.
204.15.80.50 might be smtp9.soma.ironport.com
63.217.28.226 might be Network solutions according to the below SlashDot article.
76.9.16.171 is mentioned at http://isc.sans.org/diary.html?storyid=5713
Ah, I think I see what is happening here. Searching at the below article for
63.217.28.226
http://tech.slashdot.org/tech/09/01/24/0113210.shtml shows a reply stating:
"The problem seems to kick in for DNS servers that arent rejecting the queries.
Someone is channeling ye 'ole smurfing methods.
They're requesting a list of all DNS root servers. If the server don't reject the
query, a 17 byte query becomes a 50k response (or something like that) to the spoofed
address."
Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
More information about the bind-users
mailing list