[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: Odd behavior with blocked DNS
From: Jefferson Ogata <Jefferson.Ogata () noaa ! gov>
Date: 2006-08-11 0:48:04
Message-ID: 44DBD3C4.4070302 () noaa ! gov
[Download RAW message or body]
On 2006-08-09 01:14, Michael T. Davis wrote:
> At 17:03:57.06 on 8-AUG-2006 in message
> <01M5R7MBWOB6A4O8M2@er6s1.eng.ohio-state.edu>, I wrote:
>> [...]
>> Despite the above rules, TCP port 53 SYN packets are apparently making
>> it past the firewall, since I'm seeing RST (reset) packets being sent out in
>> response.[...]
>
> Apologies...I was misinterpreting things. The packets weren't aimed
> at port 53 on our network--they were coming _from_ port 53 on the remote
> system. The initial packet has not only SYN but ACK set. I'd guess this guy
> in China's trying to get a rise out of systems here.
Or, perhaps you're seeing backscatter from a DNS-based denial-of-service
attack directed at the Chinese IP with forged source addresses that
happen to include the IP of your system.
--
Jefferson Ogata <Jefferson.Ogata@noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt@noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic