In message <Pine.LNX.4.64.0901271739380.27614@mail.pirk.com>, Steve Pirk writes :
On Wed, 28 Jan 2009, jay@miscreant.org wrote:
Quoting John Martinez <jmartinez@zero11.com>:
Are we still seeing DNS DDoS attack?
Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146.
Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.
I run a small personal nameserver and even I am seeing requests for that address 64.57.246.146 at ~1/sec.
How many people have upgraded to the latest version of Bind 9? Reason I ask is that when I do my nightly port scan of my server, I no longer see named listening to udp on a random high order port (for replies I believe?). Almost the next day, I started hearing about/seeing these DNS attacks.
Totally unrelated. Named now creates multiple listening ports on demand. Mark
Previous nmap scan showed: 53/tcp open domain 53/udp open|filtered domain 33591/udp open|filtered unknown
Now nmap shows: 53/tcp open domain 53/udp open|filtered domain
The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1. The port was bound at startup time and did not change as long as named was still running. -- Steve Equal bytes for women. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org