In message <pine.lnx.4.64.0901271739380.27...@mail.pirk.com>, Steve Pirk writes
:
> On Wed, 28 Jan 2009, j...@miscreant.org wrote:
>
> > Quoting John Martinez <jmarti...@zero11.com>:
> >
> >> Are we still seeing DNS DDoS attack?
> >
> > Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146.
> >
> > Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.
> >
>
> I run a small personal nameserver and even I am seeing requests for that
> address 64.57.246.146 at ~1/sec.
>
> How many people have upgraded to the latest version of Bind 9? Reason
> I ask is that when I do my nightly port scan of my server, I no longer see
> named listening to udp on a random high order port (for replies I believe?).
> Almost the next day, I started hearing about/seeing these DNS attacks.
Totally unrelated. Named now creates multiple listening
ports on demand.
Mark
> Previous nmap scan showed:
> 53/tcp open domain
> 53/udp open|filtered domain
> 33591/udp open|filtered unknown
>
> Now nmap shows:
> 53/tcp open domain
> 53/udp open|filtered domain
>
> The listen port (> 32767 I believe) is no longer there with BIND 9.4.3-P1.
> The port was bound at startup time and did not change as long as named was
> still running.
> --
> Steve
> Equal bytes for women.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
