[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Odd behavior with blocked DNS
From:       Jefferson Ogata <Jefferson.Ogata () noaa ! gov>
Date:       2006-08-11 0:48:04
Message-ID: 44DBD3C4.4070302 () noaa ! gov
[Download RAW message or body]

On 2006-08-09 01:14, Michael T. Davis wrote:
> At 17:03:57.06 on 8-AUG-2006 in message
> <01M5R7MBWOB6A4O8M2@er6s1.eng.ohio-state.edu>, I wrote:
>> [...]
>> 	Despite the above rules, TCP port 53 SYN packets are apparently making
>> it past the firewall, since I'm seeing RST (reset) packets being sent out in
>> response.[...]
> 
> 	Apologies...I was misinterpreting things.  The packets weren't aimed
> at port 53 on our network--they were coming _from_ port 53 on the remote
> system.  The initial packet has not only SYN but ACK set.  I'd guess this guy
> in China's trying to get a rise out of systems here.

Or, perhaps you're seeing backscatter from a DNS-based denial-of-service
attack directed at the Chinese IP with forged source addresses that
happen to include the IP of your system.

-- 
Jefferson Ogata <Jefferson.Ogata@noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt@noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
[prev in list] [next in list] [prev in thread] [next in thread]