zebulebu
08-02-2007, 18:27
I'm on Telewest and have seen a huge increase in the past month or so in traffic to port 53 from Chinese IP addresses.
I always had this in the past, and wasn't overly concerned, as it seemed to be just part of the regular background noise of the net (I presumed it was automated tools looking for unprotected DNS servers, attempting to force a zone transfer)
However, in the past month or so, I have gone from seeing an average of around 10 per hour to almost 200. They all take the same basic form (four or five knocks on UDP port 53 initiated from a random high port, followed by three or four to TCP 53 initiated from a lower, but seemingly still random series of ports - eg:
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 2288 - 53 - TCP
61.135.158.211 - 2310 - 53 - TCP
61.135.158.211 - 2341 - 53 - TCP
61.135.158.211 - 4020 - 53 - TCP
Lookups indicate that all the offenders are Chinese boxes - presumably compromised by something that is running automated scans.
Should I be overly concerned about this?
I contacted telewest, who couldn't give a monkeys, and just chastened me for running a DNS server on my cable line! When i suggested that they just take a look at my logs and block the (obviously compromised) boxes that are trying to connect to me they again scoffed at the idea.
It does seem odd that there should all of a sudden be so much more activity, especially since I've been scanning newsgroups & the like for a while to see if there are any new vulnerabilities I should be wary of.
Thanks, in advance
PS: I am aware of the DDoS attempt on the root servers yesterday - sure it's nothing to do with that though as it's been going on for a month or so now.
I always had this in the past, and wasn't overly concerned, as it seemed to be just part of the regular background noise of the net (I presumed it was automated tools looking for unprotected DNS servers, attempting to force a zone transfer)
However, in the past month or so, I have gone from seeing an average of around 10 per hour to almost 200. They all take the same basic form (four or five knocks on UDP port 53 initiated from a random high port, followed by three or four to TCP 53 initiated from a lower, but seemingly still random series of ports - eg:
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 2288 - 53 - TCP
61.135.158.211 - 2310 - 53 - TCP
61.135.158.211 - 2341 - 53 - TCP
61.135.158.211 - 4020 - 53 - TCP
Lookups indicate that all the offenders are Chinese boxes - presumably compromised by something that is running automated scans.
Should I be overly concerned about this?
I contacted telewest, who couldn't give a monkeys, and just chastened me for running a DNS server on my cable line! When i suggested that they just take a look at my logs and block the (obviously compromised) boxes that are trying to connect to me they again scoffed at the idea.
It does seem odd that there should all of a sudden be so much more activity, especially since I've been scanning newsgroups & the like for a while to see if there are any new vulnerabilities I should be wary of.
Thanks, in advance
PS: I am aware of the DDoS attempt on the root servers yesterday - sure it's nothing to do with that though as it's been going on for a month or so now.