Vista machine attack on DNS system - Firewalls

This is a discussion on Vista machine attack on DNS system - Firewalls ; A number of times we have seen windows vista hosts on our Network "Attack" our DNS service. Most of these events seem to involve a pair of machines sending large numbers of data packets on dest port 53 > 4,000 ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Vista machine attack on DNS system

  1. Vista machine attack on DNS system

    A number of times we have seen windows vista hosts on our
    Network "Attack" our DNS service.

    Most of these events seem to involve a pair of machines sending large
    numbers of data packets on dest port 53 > 4,000 per second to both
    the primary and secondary DNS servers. Note the port is limited to
    10mbps... I have wondered what would have happened if it was
    100/1000!!


    Investigations and packet captures have revealed:


    - The machines are always vista machines


    - The DNS requests are attached to a single process. This
    appears to be "sharedAccess"


    - There appear to be two separate states. Hosts which have
    been involved seem to send abnormal numbers of DNS requests under
    "normal" operation (state 1), roughly 10pps. Then, somehow an
    interatction with another machine (I guess) causes the bombardment .


    - The Vista machines seem to be "clean" of virus infection


    - Whilst looking at said machines, I have been unable to
    replicate an "attack event"


    Has anyone seen similar and is it reparable in a service pack for
    vista ?



  2. Re: Vista machine attack on DNS system


    "Shera" wrote in message
    news:94e5145a-5b37-42c0-ad22-fafb58d846b6@x41g2000hsb.googlegroups.com...



    You might want to post to msnews.microsoft.com to the
    MS.public.windows.vista security NG(s).


  3. Re: Vista machine attack on DNS system

    Shera wrote:
    > A number of times we have seen windows vista hosts on our
    > Network "Attack" our DNS service.


    Read this: http://www.securesphere.net/download...s/dnsspoof.htm

    > - The machines are always vista machines


    This is strange. Maybe attacker don't want to flood any machine or
    himself (large amount of DNS replies), just perform DNS spoofing
    "unnoticed", Vista need strong hardware.
    Maybe he is aiming Vista machines.

    What am I guessing? Attacker spoof DNS requests (choosing Vista machines
    to receive replies) in a same time he is spoofing replies to your DNS
    servers, thus poisoning your DNS records, and Vista DNS cache as well.

    Maybe it is bug like this one http://support.microsoft.com/kb/939882

    Are those DNS requests random or specific DNS name?

    Well, best would be to contact MS support.



+ Reply to Thread