Thanks for all of your responses... but
1) I don't really need the consultants replys saying that you will fix my
problems for $100/hour.
2) This isn't the BIND 8.x.x problem for getting root. For this reason :
interface Loopback10
ip address 209.115.17.65 255.255.255.224
ip access-group 113 out
Its rather difficult to get BIND to run on a Cisco 7507, although some
people probably have tried to get it to work.
We are viewing this from a cisco router with an access-list that
basically looks like this :
access-list 113 permit ip any any log
Example of the udp port 0 attack :
list 113 permitted udp 38.9.202.2(0) -> 209.115.17.67(0), 1 packet
list 113 permitted udp 194.66.96.2(0) -> 209.115.17.67(0), 1 packet
list 113 permitted udp 199.191.128.106(0) -> 209.115.17.67(0), 1 packet
list 113 permitted udp 194.62.44.10(0) -> 209.115.17.66(0), 1 packet
Example of the DNS (53) attack :
list 113 permitted udp 207.150.3.11(53) -> 209.115.17.66(53), 121 packets
list 113 permitted udp 203.77.1.1(53) -> 209.115.17.67(53), 1 packet
list 113 permitted udp 194.62.44.10(53) -> 209.115.17.67(53), 2 packets
list 113 permitted udp 194.66.96.2(53) -> 209.115.17.67(53), 91 packets
An interesting thing to note is who ever programed this attack used the
same IP addresses in a round robin type fashion for both (or maybe it is
just selectable in the DoS, who knows).
Todd R. Stroup
Fiber Network Solutions, Inc.