Date: Mon, 1 Jul 2002 15:32:34 +0300 From: Peter Pentchev <roam@ringlet.net> To: Tilo Kremer <sa9k063@public.uni-hamburg.de> Cc: freebsd-security@freebsd.org Subject: Re: other DoSes Message-ID: <20020701123233.GC376@straylight.oblivion.bg> In-Reply-To: <20020701132845.A88200@public.uni-hamburg.de> References: <20020701132845.A88200@public.uni-hamburg.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--MfFXiAuoTsnnDAfZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 01, 2002 at 01:28:45PM +0200, Tilo Kremer wrote: > hi, > apart from the apache worm, on friday i saw some other weird thing sgoin= g on on my freebsd machines: > my dns was flooding my mx. resolver:53 -> mx:1032 This is most probably in reverse: I would guess that, in fact, it was your mail exchanger sending lots of requests to your DNS server. The value of the port number at the MX's side - 1032 - seems like an ephemeral port, one that is allocated dynamically for each outgoing connection. Thus, my guess would be that something is actually flooding your MX server (or, to be a bit more pedantic, some service running on that server) with some kind of application requests, and the server is trying to resolve the flooder's IP addresses to hostnames so it can log them properly. Take a look at the logs of all the services running on your mail exchanger at the time; it does not have to be mail-related (web, SSH, FTP come to mind), and even if it is, you still have a choice between SMTP, POP3, IMAP, or some other e-mail related service. Try to find out which service was generating the name resolution requests, then try to find out whether they were indeed a result of an attack or just normal high traffic. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --MfFXiAuoTsnnDAfZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9IEvh7Ri2jRYZRVMRApZBAJwKRighlOIS7l55ziNSDzX+npTkMwCggzdw sldV14x3V+F+VNvli6wjQxc= =itjx -----END PGP SIGNATURE----- --MfFXiAuoTsnnDAfZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020701123233.GC376>