[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Malformed dns
- To: <bugtraq-get.123_145@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] Malformed dns
- From: "Thorsten Mayr" <tmayr@xxxxxxxxxx>
- Date: Thu, 29 Apr 2004 19:56:50 +0200
Hi guys,
I found some funny stuff on my firewall-1, maybe u guys got n idea what
could cause it.
// Log excerp:
"356258" "28Apr2004" "6:38:55" "Multi-product" "*****" "*****" "Log"
"Drop" "domain-udp" "10.118.100.2" "216.73.86.10" "udp" "0" "domain-udp"
"" "Attack Info: Badly formed DNS"
"356259" "28Apr2004" "6:38:56" "VPN-1 & FireWall-1" "***" "****" "Log"
"Accept" "domain-udp" "10.118.100.2" "216.73.86.10" "udp" ""
"domain-udp" "" "session_id: 764; dns_query: ebay.doubleclick.net
(+)ebay.doubleclick.net (+)ebay.doubleclick.net (+)ebay.doubleclick.net
(+)ebay.doubleclick.net (+)ebay.doubleclick.net (+)ebay.doubleclick.net
(+)ebay.doubleclick.net (+)ebay.doubleclick.net ; dns_type:
A(+)A(+)A(+)A(+)A(+)A(+)A(+)A(+)A"
//end
(The **** are our fw hosts...)
Anybody heard about somewhat that is about to DoS *.doubleclick.net? got
loads dropped querries trying to talk to several of their hosts...
Always around midtime - will sniff the packets tomorrow.... There are
quite a lot querries like that.
I am happy for any help on that one.
Though the traffic is caused from one of the servers not running a dns
service at all.
It used to serve as a SQL server which was shut down recently... Now all
it does is act as a wins server.
Nt 4.0
Thx in advance.
Regards
Thorsten
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html