Need to verify an assumption to make sure I haven't been hacked

[Rob Tanner]

This is probably completely self evident, but I want to be sure.  We
have to internal name servers which unfortunately, until a couple of
days ago were externally exposed.  Together they make up a high
availability cluster and now only the cluster IP is exposed and properly
locked down.  We are being hit with a huge flood of dynamic updates from
the internet which are being refused because we don't do any dynamic
updating.  The requests come in via UDP and our network manager is
concerned because she sees lots of UDP packets (contents unknown) coming
from the name server as well and going back out through the firewall to
the internet.  My assumption is that's simply a message back saying that
the dynamic update was refused and would be normal under the
circumstances.  Is that assumption correct?
BTW, this flood of dynamic updates is coming from hundreds of different
addresses and I suspect it's a BOT infecting machines as it goes.


Thanks,
Rob


-- 
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR