[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strange attack attempt

To: misc@openbsd.org
Subject: Strange attack attempt
From: Miguel Mendez <flynn@energyhq.es.eu.org>
Date: Tue, 9 Sep 2003 12:16:16 +0200

Hello list,

Last sunday around 15:00 GMT+2 I started recieving hundreds of A6
requests per second to my dns server. The logs from tcpdump look like
this:

# tcpdump -n -i ne4

15:24:46.270133 193.136.200.38.1055 > 213.97.200.73.53: 35480 A6?
mindfields.energyhq.es.eu.org. (47)
15:24:46.273419 193.136.200.38.1055 > 213.97.200.73.53: 56458 A6?
mindfields.energyhq.es.eu.org. (47)
15:24:46.278282 193.136.200.38.1055 > 213.97.200.73.53: 39876 A6?
mindfields.energyhq.es.eu.org. (47)

After a while I started getting the same requests from another box
in the same /16, but with source port 53. I quickly set up a pf rule to
block them but they kept flooding the box for about 3 hours. 

Now, the questions:

Has any of you ever seen this kind of flood before?
Could it be some badly configured software? (Don't think so, but you
never now with Windows stuff)
What measures do you guys usually take in cases like this one? I
whois'ed the IP address, which seems to belong to Coimbra University in
Portugal, and e-mailed the person in charge about the incident. Being UDP
packets they could have been spoofed, of course.

Cheers,
-- 
	Miguel Mendez <flynn@energyhq.es.eu.org>
	http://www.energyhq.es.eu.org

Prev by Date: Re: Problems with Mozilla-Firebird
Next by Date: Re: Thinkpad T23 sound auich0 xmms
Prev by thread: Message ("Your message dated Tue, 9 Sep 2003 0:19:38 --0500...")
Next by thread: USB mass storage woes
Index(es):
- Date
- Thread