> We've observed what appear to be attempts to establish a VPN
> connection to
> our caching-only resolvers. I have commented each of the
> packet dumps below.
> None of our nameservers provide any VPN services, and never have.
>
> Since I am not a VPN expert, I'm wondering if anyone else can
> shed some
> light on what might be going on here. Is this just a
> brain-dead VPN client
> that's making bad assumptions about it's resolvers? Or is
> there something
> more malicious going on? The traffic was picked up after a
> SYN flood to one
> of the DNS servers led to further investigation.
Hello!
This matter has been previously discussed. Please see
http://lists.jammed.com/incidents/2002/01/0175.html
HTH,
TONI HEINONEN, CISSP
TELEWARE OY
Telephone +358 (9) 3434 9123 * Fax +358 (9) 3431 321
Wireless +358 40 836 1815
Kauppakartanonkatu 7, 00930 Helsinki, Finland
toni.heinonen_at_teleware.fi * www.teleware.fi
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Apr 04 2002
Intro
