Need to verify an assumption to make sure I haven't been hacked

[Kevin Darcy]

Rob Tanner wrote:
> This is probably completely self evident, but I want to be sure.  We
> have to internal name servers which unfortunately, until a couple of
> days ago were externally exposed.  Together they make up a high
> availability cluster and now only the cluster IP is exposed and properly
> locked down.  We are being hit with a huge flood of dynamic updates from
> the internet which are being refused because we don't do any dynamic
> updating.  The requests come in via UDP and our network manager is
> concerned because she sees lots of UDP packets (contents unknown) coming
> from the name server as well and going back out through the firewall to
> the internet.  My assumption is that's simply a message back saying that
> the dynamic update was refused and would be normal under the
> circumstances.  Is that assumption correct?
>   
As assumptions go, probably correct. But why are you all ASSUMING? 
Doesn't your network manager have a sniffer? Take a look at the traffic 
and see what it is. That might help you sleep better at night.
> BTW, this flood of dynamic updates is coming from hundreds of different
> addresses and I suspect it's a BOT infecting machines as it goes.
>   
I think it's more likely to be Wintel boxes with "register my IP address 
automatically" enabled and your domain configured as their "home" domain 
(for whatever reason). I see this all of the time.

                                                                         
                                 - Kevin