[itdiscuss] Mass DNS requests from a VPN user

Glenn Kelley glenn at vinehosting.com
Thu Aug 6 16:55:39 EDT 2009 

good point

_____________________________________________________________________________________
Glenn Kelley | Network Architect  | Vine Networks | www.VineHosting.com
Ohio NOC | 317 South North Street | Washington CH OH 43160
    Skype Messenger: vinehosting
Email: glenn at vinehosting.com
Phone: 740-206-1140 x 6900
Pplease don't print this e-mail unless you really need to.

On Aug 6, 2009, at 4:42 PM, Derek Schwab wrote:

> You can also just mirror the switch port and listen on the mirrored  
> port with wireshark. No need for a separate device/app.
>
> -Derek
>
>
> From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org 
> ] On Behalf Of Glenn Kelley
> Sent: Thursday, August 06, 2009 4:31 PM
> To: IT Discussion Forum
> Subject: Re: [itdiscuss] Mass DNS requests from a VPN user
>
> try using wireshark in-between
> setup a transparent bridge and listen using that
> you will see all the port 53 traffic for sure - and who it is
>
> for an easy transparent bridge - (and some fun security stuff to  
> have) check out www.pfsense.org
> its free - (makes a nice firewall as well in fact ... )
>
> Hope that helps - if stuck skype me
>
> _____________________________________________________________________________________
> Glenn Kelley | Network Architect  | Vine Networks |  
> www.VineHosting.com
> Ohio NOC | 317 South North Street | Washington CH OH 43160
>    Skype Messenger: vinehosting
> Email: glenn at vinehosting.com
> Phone: 740-206-1140 x 6900
> Pplease don't print this e-mail unless you really need to.
>
> On Aug 6, 2009, at 3:49 PM, Dayron Daugherty wrote:
>
>
>
>    Over the last couple of days I’ve noticed a HUGE spike in A  
> record DNS requests from our domain. We use OpenDNS and I check  
> stats often. We usually have about 5000-6000 A record resolves in a  
> day. The last 2 days we’ve had 25,000 – 26,000. Our AD servers are  
> set as DNS forwarders which then forward on to the OpenDNS servers.
>
> I’ve been able to isolate the source of the DNS bombardment to our  
> VPN server using good ol’ MS Network Monitor on our AD servers and  
> VPN server. However, all that shows in the trace is the VPN serve  
> requesting the DNS lookup and then it being forwarded off to  
> OpenDNS. It doesn’t show the client who requested it. Also I have  
> used DNS debugging logs and it shows roughly the same thing. Most  
> all local clients have admin rights removed from their PCs. This  
> almost completely removed even the smallest of malware issues we’d  
> get even with CA eTrust running and updated. In this case however,  
> most all our remote users are local admins of their laptops.
>
> _______________________________________________
> it discuss mailing list: discuss at itdiscuss.org
> Mailing List: http://itdiscuss.org/discuss
> Web Discussion Board: http://itdiscuss.org/discuss-forum
> Wiki: http://itdiscuss.org/wiki
> Internet Relay Chat: irc://irc.freenode.net/citrt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://optimus.thompsonic.com/pipermail/discuss/attachments/20090806/c3d57042/attachment.htm

More information about the discuss mailing list