Security Incidents: Re: DNS UDP Dos Attack?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: DNS UDP Dos Attack?

From: Gary Maltzen <maltzen () MM COM>
Date: Sun, 4 Mar 2001 16:17:34 -0600

I've seen similar when the host is running Napster.
What makes you think this is a DNS attempt?

I am receiving ton of attempted UDP connections to an internal host. Connecting to this host is stopped at my 
firewall, but my firewall is paying a stiff price. I have seen the available memory on my firewall go down my 1-2 Mbg 
per minute while it trys to block all this traffic.

Has anyone seen systems trying to reach a DNS host via UDP to port 42326?

Here is a snippet of log files.

UDP out 209.10.34.23:8541 in 209.11.137.71:42326 idle 0:32:24 flags -
UDP out 209.10.34.39:29277 in 209.11.137.71:42326 idle 0:33:26 flags -
UDP out 207.235.38.3:28931 in 209.11.137.71:42326 idle 0:32:42 flags -
UDP out 209.10.34.39:33373 in 209.11.137.71:42326 idle 0:33:38 flags D-
UDP out 206.190.71.2:33812 in 209.11.137.71:42326 idle 0:33:49 flags D-
UDP out 193.141.40.42:1437 in 209.11.137.71:42326 idle 0:35:19 flags -
UDP out 63.91.4.4:12673 in 209.11.137.71:42326 idle 0:34:49 flags -

By Date By Thread

Current thread:

DNS UDP Dos Attack? James Kelty (Mar 02)
- Re: DNS UDP Dos Attack? Wlodek (Mar 02)
  - Re: DNS UDP Dos Attack? Aaron Schultz (Mar 03)
  - FROM port 137 TO port 137 Bryan Bradsby (Mar 03)
- Re: DNS UDP Dos Attack? Gary Maltzen (Mar 04)