In message <pine.lnx.4.64.0901271739380.27...@mail.pirk.com>, Steve Pirk writes : > On Wed, 28 Jan 2009, j...@miscreant.org wrote: > > > Quoting John Martinez <jmarti...@zero11.com>: > > > >> Are we still seeing DNS DDoS attack? > > > > Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146. > > > > Also seeing requests from 76.9.16.171 every 1 minute 2 seconds. > > > > I run a small personal nameserver and even I am seeing requests for that > address 64.57.246.146 at ~1/sec. > > How many people have upgraded to the latest version of Bind 9? Reason > I ask is that when I do my nightly port scan of my server, I no longer see > named listening to udp on a random high order port (for replies I believe?). > Almost the next day, I started hearing about/seeing these DNS attacks.
Totally unrelated. Named now creates multiple listening ports on demand. Mark > Previous nmap scan showed: > 53/tcp open domain > 53/udp open|filtered domain > 33591/udp open|filtered unknown > > Now nmap shows: > 53/tcp open domain > 53/udp open|filtered domain > > The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1. > The port was bound at startup time and did not change as long as named was > still running. > -- > Steve > Equal bytes for women. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org