Port scan attack from DNS resolver
- From: "Don McCall" <DMcCall@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 5 Dec 2002 16:28:03 +1100
Hi to you all,
Thanks for all the helpful information that can be gained from this
list.
I have a situation that is causing me some concern. I have an ISA server
behind a Cisco Pix. Our DNS server is on the internal LAN. It uses
forwarders (through the ISA and the Pix) to resolve external URLs. The
ISA server uses our internal DNS server. However every now and then,
about three times, a day the ISA server alerts me to an all port scan on
its external interface from the external DNS resolver (remember the ISA
is behind the PIX). I have Netmon and syslog server running between the
PIX and ISA (in the DMZ). The Syslog from the Pix also shows that there
appears to be many attempts to access our site from the DNS resolver.
There also does not appear to be any requests initiated from inside...
The ISP swears that they do not have a problem...
I then went to plan two and changed from the resolvers we were using to
another company's resolver... everything went well for several weeks now
I have the problem again... Does any one have any light that they can
shed on this? Is this common?
Regards
Don McCall Email: dmccall@xxxxxxxxxx
Infrastructure Administrator - Information Systems
Baptist Community Services NSW & ACT
Telephone: (02) 9941 6049
Fax: (02) 9889 1520
Address: Corporate Services - 157 Balaclava Road Marsfield NSW
This message is intended for the addressee named and may contain
confidential information. If you are not the intended recipient, please
delete it and notify the sender. Views expressed in this message are
those of the individual sender, and are not necessarily the views of
Baptist Community Services. 2
Other related posts:
- » Port scan attack from DNS resolver
