Hello
I started logging these oddball packets back mid-August or so, usually the
same smallish number of hosts and they are all unsolicited ACKs. Charting
them by the hour shows spikes of varying periodicities.
The target IPs are, as far as I can tell, all hosts which have made a DNS
lookup i.e. they are not always DNS servers but some are and the others will
have probably been running a caching named or are a firewall, etc.
The majority of targets reply with a RST (some don't). At one point one of
the remote 'sender' IPs did resolve
208.184.162.71 208.184.162.71.mirror-image.com
If you go take a look at www.mirror-image.com you will see that they have a
large number of servers spread around geographically and my guess is that
this scanning pattern is working out best routes, responses, etc.
As to how or why they are acquiring all these 'hosts which are running named
of some type' raises a lot of questions the answers to which may be somewhat
disturbing. I regard the packets as 'mostly harmless' but we all know where
that can lead to.
Neil
Received on Oct 26 2000
Intro
