DOS Attact Message or Just a Simple Query”?
Home > IT Answers > Microsoft Windows > DOS Attact Message or Just a Simple Query"?
RedJason
5 pts.
0
Q:
DOS Attact Message or Just a Simple Query"?
DOS, DOS Attack, DNS queries
I have checked firewall alert message everyday from my organization firewall equipment, and it returns an alert message "anomaly: udp_src_session, 1001 > threshold 1000, repeated 214 times" Starting from 172.10.2.45:51158 to 210.181.1.24:53.

I wanna know whether it's really infected and indicates DOS attack or just simple DNS query. I hope someone can help me. Thanks in advance Jason.



Software/Hardware used:
FortiGate
ASKED: Sep 3 2009  2:22 AM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Labnuke99
26290 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
Is the 172.10.2.45 client a machine you have access to or ownership? If it is a Windows machine or a machine where you can run the netstat command, I would run that (in Windows) using the -ano switches. The -a says display all connections; -n means use numbers for addresses rather than names; -o displays the owning process for the connection. This would permit you to see what process is running on port 51158 on that client. You might also want to capture some packets using Wireshark or something similar and see what this client is requesting.

It might interest you to know that the 210.181.1.24 address belongs to ns.cjdream.net, a server in Korea. So, if this is unexpected traffic from this client to this DNS server, it may be true that this client is infected with some malware.
Last Answered: Oct 19 2009  3:00 PM GMT by Labnuke99   26290 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



0