Security Incidents mailing list archives

RE: VPN connection attempts to resolvers?

From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Thu, 4 Apr 2002 19:54:05 +0300

We've observed what appear to be attempts to establish a VPN 
connection to
our caching-only resolvers. I have commented each of the 
packet dumps below.
None of our nameservers provide any VPN services, and never have.

Since I am not a VPN expert, I'm wondering if anyone else can 
shed some
light on what might be going on here. Is this just a 
brain-dead VPN client
that's making bad assumptions about it's resolvers? Or is 
there something
more malicious going on? The traffic was picked up after a 
SYN flood to one
of the DNS servers led to further investigation.


Hello!

This matter has been previously discussed. Please see
http://lists.jammed.com/incidents/2002/01/0175.html

HTH,
TONI HEINONEN, CISSP
   TELEWARE OY
   Telephone  +358 (9) 3434 9123  *  Fax  +358 (9) 3431 321
   Wireless  +358 40 836 1815
   Kauppakartanonkatu 7, 00930 Helsinki, Finland
   toni.heinonen () teleware fi  *  www.teleware.fi

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

VPN connection attempts to resolvers? Mike Lewinski (Apr 03)
- RE: VPN connection attempts to resolvers? Coochey, Giles (Apr 04)
- Re: VPN connection attempts to resolvers? Valdis . Kletnieks (Apr 04)
- RE: VPN connection attempts to resolvers? Bill Royds (Apr 04)
- <Possible follow-ups>
- RE: VPN connection attempts to resolvers? Toni Heinonen (Apr 04)