[dns-operations] Interesting firewall drops
Sam Norris
Sam at ChangeIP.com
Thu Jan 4 08:24:38 UTC 2007
Hello all,
We've been noticing more and more of these types of drops in our logs and
wonder if its a hack attempt or misconfigured resolver:
00:15:25 TCP (ACK), 159.237.4.2:80->204.16.170.10:53, len 40
00:15:25 TCP (RST), 159.237.4.2:33492->204.16.170.10:53, len 40
00:15:25 TCP (SYN), 159.237.4.2:33492->204.16.170.10:53, len 40
00:15:30 TCP (RST), 159.237.4.2:33492->204.16.170.10:53, len 40
What's interesting is the order of the packets and their tcp flags. An ACK
first using source port 80, then followup up by a RST to a random high port.
Possibly an attempt to close a DNS zone transfer or previous request? I'm
compiling a list of source ips now and will followup with a more complete
list. So far it is these in the past few mins:
203.200.111.10
210.174.64.241
210.252.151.65
221.186.144.57
125.20.33.211
159.237.4.2
212.145.140.210
Sam
More information about the dns-operations
mailing list