I have an NT4.0 network with a PDC and a BDC, and then a PDC for a
currently unused domain.

The spare PDC runs DNS, WINS, DHCP, (the windows versions) and the BDC
from the other domain runs backup copies of all those services, and there
is a trust relationship between the domains. These services are not
publicly accessible.

I have a firewall which enforces a max of 200 simultaneous sessions
from an internal machine to anywhere outside. The firewall has been
reporting:
1. 11/12/2001 17:12:53 ATTACK ALARM: session threshold from <inside
address>/53 to <outside address>/53 prot UDP (trust)

These reports tend to be only during the evening hours, and are to quite a
few different sites, not just a single remote site. Only the slave DNS is
reported as doing this, the primary doesnt.

I can understand having many connections open, and understand that there
will be a timeout before the firewall marks the connections as closed, but
this still seems like a lot of sessions to the outside. I am wondering if
this is some symptom of some other security problem?

--brian

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]