I say load banish, banish the 201.220.15.75 IP and see what your enduser then lacks.
You type that ip into a browser and you go to http://mail.unspoiledqueen.com/mail/src/login.php. Maybe your EUA prohibits such sites anyway?
"Doc. Caliban" <***@gmail.com> wrote: > On 10Jul, 08, at 12:12 PM, John Edwards wrote:
>
> 200MB is way too much for DNS.
>
> UDP port 53 is open on most firewalls, so can used for obfuscated or
> encrypted traffic that wants to secretly bypass any blocked ports.
Hello,
Thank you to everyone for the replies.
Unfortunately, some of this is over my head as this is the first time
I've had to delve into traffic analysis this deeply.
Information that may be helpful:
I'm using BOT with DNS open from one specific server on Blue to a
specific server on Green.
This user is on Blue and should be being blocked from any access to
Red via BOT. There is a rule blocking HTTP access via IPCop, and a
rule blocking all other ports to Red.
For what it's worth, here's a screen cap of part of the NTOP page for
this user:
http://img294.imageshack.us/img294/6493/103zy7.png
>
>
> Suggestions:
>
> 1) Check that your monitoring software is OK. I would think there
> should be at least some web or email traffic in there.
>
> 2) Use tcpdump to grab a dump of the traffic on UDP port 53 and then
> wireshark to examine it. This will allow to see if it is legimate DNS
> traffic or not.
>
> 3) Talk to the user. Check their machine for new software, trojans,
> root kits, etc.
>
>
> Earlier this week there was a big DNS vulnerability in most DNS
> server, this could be an attack on that but I would think it is
> a little early for an automated attack.
I'm googling for a concise howto on tcpdump and wireshark...
Thanks for the suggestions, everyone!
-Doc
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08