Sending UDP spam
Barry Margolin
barry.margolin at level3.com
Mon Sep 29 22:17:09 UTC 2003
In article <bla124$35f$1 at sf1.isc.org>, Jamie <jamie at gnulife.org> wrote:
> Someone on one of the networks we have authority for (do reverse
>in-addr.arpa lookups for) is reporting that our nameserver is sending them
>messages in their security logs that look like this:
>
>>From 100.100.2.2 - 118 packets
> To 100.80.2.23 - 118 packets
> Service: 49000 (udp/49000) (iptables:,eth0,none) - 1 packet
> Service: 49003 (udp/49003) (iptables:,eth0,none) - 1 packet
> Service: 49026 (udp/49026) (iptables:,eth0,none) - 1 packet
> Service: 49161 (udp/49161) (iptables:,eth0,none) - 1 packet
> Service: 49275 (udp/49275) (iptables:,eth0,none) - 1 packet
> Service: 49276 (udp/49276) (iptables:,eth0,none) - 1 packet
> Service: 49568 (udp/49568) (iptables:,eth0,none) - 1 packet
> Service: 49569 (udp/49569) (iptables:,eth0,none) - 1 packet
> Service: 49570 (udp/49570) (iptables:,eth0,none) - 1 packet
> Service: 49572 (udp/49572) (iptables:,eth0,none) - 1 packet
> Service: 49726 (udp/49726) (iptables:,eth0,none) - 2 packets
> <....etc...>
Is 100.80.2.23 their nameserver? If so, these are presumably just replies
to the DNS queries they sent you. I guess their firewall isn't stateful,
so it doesn't remember that these ports were used as the source ports in
queries and the replies should be allowed in.
--
Barry Margolin, barry.margolin at level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list