DNS DOS?

keenonkeenon Member Posts: 1,922 ■■■■□□□□□□
in Off-Topic
for the past 2 days we have ( company i work for) have had 2 what seems to be internet problems..the first seemed like a isp issue but we noticed a trend when it begin to happened again. all http traffic was at a crawl but the outgoing DNS traffic was maxed out. it was isolated to a workstation after shutting down its port the issue seemed to end..

so the question is:

was what we where experiencing a reverse dns attack?

what program/virus has this charateristic? If any

altogether this has me very interested more in the security/exploitation aspects of computer/network systems
Become the stainless steel sharp knife in a drawer full of rusty spoons
· Share on FacebookShare on Twitter

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I believe the MyDoom virus has those characteristics (dns and smtp traffic).
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    That was my pic too sprkymrk. When I get something like this I like to put it on my test network and have Snort running to see what is happening. I will also slave it to my lab machine and do a full spyware and AV scan without deleting anything and then read the logs - best way to learn about these exploits.
    www.supercross.com
    FIM website of the year 2007
    · Share on FacebookShare on Twitter
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Yeah, I was going to ask if he had a **** of the traffic, but many people don't like to give out the IP addresses and such of their networks. It could just as easily have been a nasty spyware phoning home too. I once ran into one that generated (from a W98 computer) about 50% of the network traffic for a 50 node LAN for a week's time. I finally found that the secretary had been emailed a game called "Yo Mama Osamma" which she promptly installed and played. I was the Domain Admin for that small LAN, having moved them from an old Novell/Pop3 Sendmail set up to a W2K AD domain with Exchange 2K. Problem was I lived in the midwest and this office was in Alabama so I did everything remotely, only traveling on site about twice a year. Of course they had a part time Help Desk lady there that was okay - she did the backups, new installs and some trouble shooting, but was not a network or security person.

    If I recall correctly the spyware generated about 15 GB of traffic in a week. I had the ISA 2000 firewall generate a weekly report which is how I noticed it.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.