From owner-freebsd-security Sat Jan 29 16:37:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 4AE4914E5F for ; Sat, 29 Jan 2000 16:37:18 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA07751; Sat, 29 Jan 2000 17:37:03 -0700 (MST) Message-Id: <4.2.2.20000129173418.03dc4960@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sat, 29 Jan 2000 17:36:59 -0700 To: Samara McCord , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Continual DNS requests from mysterious IP In-Reply-To: <200001290216.SAA34537@floozy.zytek.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My guess is that your machine is being used in a distributed DoS attack against AOL. The perpetrator is probably querying many servers throughout the Net, hoping that they in turn will swamp AOL. By providing lots of bogus host names that do not repeat, they're ensuring that a fresh request is generated every time. I personally would block the buggers and then contact AOL. --Brett At 07:16 PM 1/28/2000 , Samara McCord wrote: >Hello, > >This is not an attack, but somewhat irritating. Also it's something >that no one would normally notice. Well I was running tcpdump to check >on something else and noticed this. About once a second I'm getting >DNS requests for the mail relay of "aol.com". It has been going on all >day, possibly for many days. It bugged me so I put this IP address in >my border filter to discard all packets. Does anyone know what this is? >Some kind of network monitoring? The IP address is not reversible >(surprise surpise), possibly in New York. It sort of brings up the >issue of possibly DNS inquiries should be limited to 1. domains for >which you are authoratative, and 2. machines for which you provide >dial-up service. Below is a sample tcpdump output (my machine >has been xxx'd out, the other IP address is real). > >Sam > >------- >15:58:36.768512 212.205.50.129.28912 > xxx.xxx.xxx.domain: 15357+ MX? aol.com. (25) (DF) >15:58:36.770828 xxx.xxx.xxx.domain > 212.205.50.129.28912: 15357 9/2/16 MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15 (500) >15:58:38.444473 212.205.50.129.14970 > xxx.xxx.xxx.domain: 1832+ MX? aol.com. (25) (DF) >15:58:38.446895 xxx.xxx.xxx.domain > 212.205.50.129.14970: 1832 9/2/16 MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15 (500) >15:58:38.778631 212.205.50.129.9245 > xxx.xxx.xxx.domain: 41476+ MX? aol.com. (25) (DF) >15:58:38.780911 xxx.xxx.xxx.domain > 212.205.50.129.9245: 41476 9/2/16 MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15 (500) >15:58:38.827693 212.205.50.129.18818 > xxx.xxx.xxx.domain: 60850+ MX? aol.com. (25) (DF) >15:58:38.829969 xxx.xxx.xxx.domain > 212.205.50.129.18818: 60850 9/2/16 MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15 (500) >15:58:39.367913 212.205.50.129.7526 > xxx.xxx.xxx.domain: 56983+ MX? aol.com. (25) (DF) >15:58:39.370303 xxx.xxx.xxx.domain > 212.205.50.129.7526: 56983 9/2/16 MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15 (500) >15:58:40.419209 212.205.50.129.4028 > xxx.xxx.xxx.domain: 47022+ MX? aol.com. (25) (DF) >15:58:40.420800 212.205.50.129.1875 > xxx.xxx.xxx.domain: 2307+ MX? aol.com. (25) (DF) >15:58:40.421774 xxx.xxx.xxx.domain > 212.205.50.129.4028: 47022 9/2/16 MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15 (500) >15:58:40.423991 xxx.xxx.xxx.domain > 212.205.50.129.1875: 2307 9/2/16 MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15 (500) > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message