Date: Tue, 06 Jun 2000 16:58:01 -0400 From: Jim C <jconner@enterit.com> To: "Eric J. Schwertfeger" <ejs@bfd.com>, first name <ejsilver49@hotmail.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: DNS DOS attack? Probably not.... Message-ID: <4.2.0.58.20000606165315.01675800@mail.enterit.com> In-Reply-To: <Pine.BSF.4.10.10006061237340.24919-100000@harlie.bfd.com> References: <20000606190749.7705.qmail@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12.41 06.06.00 -0700, Eric J. Schwertfeger wrote: >On Tue, 6 Jun 2000, first name wrote: > > > > > I run a DNS server for a small ISP. In the middle of the night, our DNS > > server gets repeated requests for lookups from a small number of > users. One > > user might generate 100 to 150 DNS requests each minute. Others might > send > > 50 to 75 requests per minute. > > > > There is a core group that does this every night. And an equal number of > > people send the repeated DNS requests off and on. Most are forward > lookups, > > but about 25% are reverse lookups. > > > > Any idea what the hell they are doing? DOS? Cracking? Trying to keep > the > > connection nailed up? Why would any program need to do 100 DNS lookups > in a > > minute? Could I have set up something wrong? Can't imagine what. > > > > Thanks for any ideas or information. <warning type=necessary> The following advice is difficult to say therefore sounds lame. Please disregard the lame soundedness and read into the advice =P </warning> If this were something I had to deal with I would probably attempt to get in touch with the person/people these "attacks" are coming from. Actually, let me restate that a better way. I would find out where these lookups are coming from and contact the ISP or Network folks that own this/these addresses the lookups are coming from and see if they can either 1. tell me what they are doing (if its them performing the lookups) or 2. have them monitor their traffic and see if they can track it down (perhaps its one of their customers or worse yet a "hacker" connected through them. - Jim >There's a batch program for analog that fills in RDNS info in web server >logs, though that doesn't explain the forward lookups. Maybe they're >flushing sendmail queues. > >No one thing answers all the questions, it may be a combination of things >done from a nightly cron job, or it might be something I haven't seen yet. > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20000606165315.01675800>