Re: Strange Traffic..

From: John Sage (jsage@finchhaven.com)
Date: 11/30/01 

Message-ID: <3C07189A.4050807@finchhaven.com>
Date: Thu, 29 Nov 2001 21:26:50 -0800
From: John Sage <jsage@finchhaven.com>
To: Vinay Kudithipudi <kudithipudi@mail.ru>
Subject: Re: Strange Traffic..

Vinay:

I think this looks like nameserver-to-nameserver dns traffic, see
comments in line..

Vinay Kudithipudi wrote:

> Hello Guys,
> Our DNS servers have been getting a lot of strange traffic from
> a couple of IP addresses allocated to the Social Security
> Administration.
>
> Here is a tcpdump , I did one one of our DNS servers.
>
> 07:00:35.988875 199.173.224.20.domain > dns1.domain: 45115 (35)

199.x.x.x:53 sends 35 bytes to dns1:53 with a query number of 45115

> 07:00:35.989564 dns1.domain > 199.173.224.20.domain: 45115 0/2/1 (100) (DF)

dns1 answers query number 45115 with 100 bytes, zero answer records, 2
authoritative records, 1 additional records...

So, what ever it is they think they want, you apparently don't have the
specific IP address, but you may have the relevant nameserver, and
you've got some additional stuff, too...

Now, if it's the *volume* of traffic you're talking about, that's a
different kind of issue.

I'd try to get in touch with llsmith@ssa.gov and ask him "wassup?"

UUNET Technologies, Inc. (NETBLK-UUCBLK170-173)NETBLK-UUCBLK170-173
      199.170.0.0 - 199.173.255.255

Social Security Administration (NETBLK-UU-199-173-224-D2)

UU-199-173-224-D2
      199.173.224.0 - 199.173.231.255

Social Security Administration (NETBLK-UU-199-173-224-D2)
    6401 Security Blvd.
    Baltimore, MD 21235
    US Netname: UU-199-173-224-D2
    Netblock: 199.173.224.0 - 199.173.231.255

Coordinator:
       Smith, Lionel Lloyd (LS112-ARIN) llsmith@ssa.gov
       (410) 965-8963 (FAX) (410) 965-4110

Record last updated on 08-Oct-1998.
Database last updated on 29-Nov-2001 19:56:47 EDT.

(I don't think it's necessarily unusual that the data for this specific
record hasn't changed since 1998..)

- John

<snip>

>
> The other IP's that we are getting this kind of traffic are
> 199.173.224.2 and 199.173.225.21.
>
> I did a portscan on these IP's using nmap and the only ports open on
> these boxes are SMTP and AUTH. Also the output says that the boxes
> have been up from 1985!!!
>
> This traffic is killing our servers. I am planning on blocking these
> IP's from our routers, but wanted to hear other opinions from this
> group. Any help would be appreciated. Thank you.
>
>
>

Relevant Pages

  • Strange Traffic..
    ... a couple of IP addresses allocated to the Social Security ... Here is a tcpdump, I did one one of our DNS servers. ... Also the output says that the boxes ...
    (Incidents)
  • Re: Strange Traffic..
    ... Subject: Strange Traffic.. ... > a couple of IP addresses allocated to the Social Security ... I did one one of our DNS servers. ... Also the output says that the boxes ...
    (Incidents)
  • Re: Internet Access disappeared overnight on SBS2003
    ... I just go into the router's config page and see what DNS servers ... > the router got from the ISP's DHCP server and use those. ... The strange thing is that when I run ICW on my ...
    (microsoft.public.windows.server.sbs)
  • BIND 9.3.4 assertion failure on restart
    ... The following is a reproducible problem on a couple of our DNS servers: ... There's nothing bizarre about our BIND configuration on these boxes. ... , with an SMP kernel. ... the ULE scheduler, while the 6.2 box uses the 4BSD scheduler. ...
    (freebsd-stable)
  • dynamic "domain-name-servers" field in dhcpd.conf?
    ... DNS servers from my gateway/NAT box. ... my LAN boxes are getting ...
    (Debian-User)