[dns-operations] Interesting firewall drops

Sam Norris Sam at ChangeIP.com
Thu Jan 4 08:24:38 UTC 2007

Hello all,

We've been noticing more and more of these types of drops in our logs and 
wonder if its a hack attempt or misconfigured resolver:

00:15:25 TCP (ACK),>, len 40
00:15:25 TCP (RST),>, len 40
00:15:25 TCP (SYN),>, len 40
00:15:30 TCP (RST),>, len 40

What's interesting is the order of the packets and their tcp flags.  An ACK 
first using source port 80, then followup up by a RST to a random high port. 
Possibly an attempt to close a DNS zone transfer or previous request?  I'm 
compiling a list of source ips now and will followup with a more complete 
list.  So far it is these in the past few mins:


More information about the dns-operations mailing list