From owner-freebsd-isp Fri May 1 21:39:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA04135 for freebsd-isp-outgoing; Fri, 1 May 1998 21:39:38 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from mail.actrix.gen.nz (root@mail.actrix.gen.nz [203.96.16.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04121 for ; Fri, 1 May 1998 21:39:24 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from [203.96.56.186] (aniwa.actrix.gen.nz [203.96.56.186]) by mail.actrix.gen.nz (8.8.8/8.8.5) with SMTP id QAA11870 for ; Sat, 2 May 1998 16:39:18 +1200 (NZST) X-Sender: squiz1@mail.actrix.gen.nz Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 2 May 1998 16:41:35 +1200 To: isp@FreeBSD.ORG From: andrew@squiz.co.nz (Andrew McNaughton) Subject: Re: Named disappeared Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On May 2, 12:12pm, Andrew McNaughton wrote: >} Subject: Re: Named disappeared > >} So has anyone looked to see where the last packets to the named port came >} from? Correlations there would tend to confirm the hacker theory. > >There's no reason the culprit couldn't be using a forged IP source address >since he's not counting on getting a reply. Of course, so a negative result proves nothing. However if a hacker didn't forge a different address for every attack, evidence would be left that separate machines had been affected by the same user agent, which would be significant. It seems to me worth looking at the packet logs where they exist. Andrew McNaughton ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Andrew McNaughton = ++64 4 389 6891 Any sufficiently advanced = andrew@squiz.co.nz bug is indistinguishable = http://www.squiz.co.nz from a feature. = http://www.newsroom.co.nz -- Rich Kulawiec = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message