Date: Fri, 28 Jan 2000 18:16:09 -0800 (PST) From: Samara McCord <mccord@zytek.com> To: freebsd-security@freebsd.org Subject: Continual DNS requests from mysterious IP Message-ID: <200001290216.SAA34537@floozy.zytek.com>
next in thread | raw e-mail | index | archive | help
Hello, This is not an attack, but somewhat irritating. Also it's something that no one would normally notice. Well I was running tcpdump to check on something else and noticed this. About once a second I'm getting DNS requests for the mail relay of "aol.com". It has been going on all day, possibly for many days. It bugged me so I put this IP address in my border filter to discard all packets. Does anyone know what this is? Some kind of network monitoring? The IP address is not reversible (surprise surpise), possibly in New York. It sort of brings up the issue of possibly DNS inquiries should be limited to 1. domains for which you are authoratative, and 2. machines for which you provide dial-up service. Below is a sample tcpdump output (my machine has been xxx'd out, the other IP address is real). Sam ------- 15:58:36.768512 212.205.50.129.28912 > xxx.xxx.xxx.domain: 15357+ MX? aol.com. (25) (DF) 15:58:36.770828 xxx.xxx.xxx.domain > 212.205.50.129.28912: 15357 9/2/16 MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15 (500) 15:58:38.444473 212.205.50.129.14970 > xxx.xxx.xxx.domain: 1832+ MX? aol.com. (25) (DF) 15:58:38.446895 xxx.xxx.xxx.domain > 212.205.50.129.14970: 1832 9/2/16 MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15 (500) 15:58:38.778631 212.205.50.129.9245 > xxx.xxx.xxx.domain: 41476+ MX? aol.com. (25) (DF) 15:58:38.780911 xxx.xxx.xxx.domain > 212.205.50.129.9245: 41476 9/2/16 MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15 (500) 15:58:38.827693 212.205.50.129.18818 > xxx.xxx.xxx.domain: 60850+ MX? aol.com. (25) (DF) 15:58:38.829969 xxx.xxx.xxx.domain > 212.205.50.129.18818: 60850 9/2/16 MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15 (500) 15:58:39.367913 212.205.50.129.7526 > xxx.xxx.xxx.domain: 56983+ MX? aol.com. (25) (DF) 15:58:39.370303 xxx.xxx.xxx.domain > 212.205.50.129.7526: 56983 9/2/16 MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15 (500) 15:58:40.419209 212.205.50.129.4028 > xxx.xxx.xxx.domain: 47022+ MX? aol.com. (25) (DF) 15:58:40.420800 212.205.50.129.1875 > xxx.xxx.xxx.domain: 2307+ MX? aol.com. (25) (DF) 15:58:40.421774 xxx.xxx.xxx.domain > 212.205.50.129.4028: 47022 9/2/16 MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15 (500) 15:58:40.423991 xxx.xxx.xxx.domain > 212.205.50.129.1875: 2307 9/2/16 MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15 (500) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001290216.SAA34537>