[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [Full-Disclosure] Question for DNS pros

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: FW: [Full-Disclosure] Question for DNS pros
From: "Ian Latter" <Ian.Latter@xxxxxxxxx>
Date: Wed, 04 Aug 2004 12:04:00 +1000

I've been flat out here -- but I've tried to stay on this thread ..

Are you guys sure that this isn't the server end of the 
ip-over-dns software (nstxd) trying to get data back to the
now non-existent client?

It would have made it through your statefull kit if it was 
initiated from that problem address of yours (Paul), originally.


The only thing I see not being consistent with the nstx stuff
is the multiple sources/channels ... but that doesn't mean
that there couldn't have been multiple connections from the
problem address, or a multi-terminating version of the client/
server software .. (a dns hub of sorts).



----- Original Message -----
>From: "Ron DuFresne" <dufresne@xxxxxxxxxxxxx>
>To: "Paul Schmehl" <pauls@xxxxxxxxxxxx>
>Subject:  Re: FW: [Full-Disclosure] Question for DNS pros
>Date: Tue, 03 Aug 2004 11:29:55 -0500
>
> 
>       [SNIP]
> 
> > >
> > Mine are identical to yours.  Same host, same src port, same types of
> > packets, same ttl, same len)  Whatever this is is obviously crafted from
> > some sort of script.  The only thing I can think of is recon.  If someone
> > has any bright ideas, speak up.
> >
> 
> I think Frank mentioned the packets being like 2048 in size, and this
> makes me wonder if it's a tad more then mere recon.  Might be trying to
> exploit or develope an exploit for bind.  and might be a tool in progress
> for a specific bind OS combo.
> 
> But, I find just tossing the offenders into the "not allowed" list of
> entowrk addresses reduces the log fluff as well as hinder progressive
> testing, for them, at least off my networks.
> 
> 
> 
> Thanks,
> 
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
>       ***testing, only testing, and damn good at it too!***
> 
> OK, so you're a Ph.D.  Just don't touch anything.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

--
Ian Latter
Internet and Networking Security Officer
Macquarie University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: FW: [Full-Disclosure] Question for DNS pros
  - From: Paul Schmehl

Prev by Date: Re: FW: [Full-Disclosure] Question for DNS pros
Next by Date: Re: [Full-Disclosure] Tipping Point IPS systems
Previous by thread: Re: FW: [Full-Disclosure] Question for DNS pros
Next by thread: Re: FW: [Full-Disclosure] Question for DNS pros
Index(es):
- Date
- Thread