RE: Strange Traffic..

Date: 11/29/01

Message-ID: <>
To: "'Vinay Kudithipudi'" <>
Subject: RE: Strange Traffic..
Date: Thu, 29 Nov 2001 11:06:55 -0600

What do you see that's unusual about this traffic? It looks like maybe this
system is just doing a large number of DNS lookups via your name server?
The 0/2/1 implies a non-authoritative response to one of their requests.

Could be that someone on their end is doing a mass reverse-lookup against a
block of your IP addresses, or a vulnerability scan that includes looking up
the hostname of the systems it hits? Maybe the increased load on your
systems is due to these effects instead of the DNS lookups. I wouldn't
expect the frequency/number of requests below to cause significant problems
for your servers.

This could be the effect of 3rd-party SMTP relaying also. If someone on
your network (or another broken mail server on your network) is relaying
massive amounts of e-mail though their mail servers, it's possible their
systems are trying to do reverse DNS lookups on the originating IP
address(es). One might expect that this information would be cached, but
it's still possible.

It could be anything, really, but I don't really see anything unusual about
the traffic you pasted.

How long has it been running and has it stopped? A dump of the packets
you're seeing might be interesting, and would at least let us see what these
requests are like. Some newer versions of 'tcpdump' decode DNS requests and


-----Original Message-----
From: Vinay Kudithipudi []
Sent: Thursday, November 29, 2001 7:12 AM
Subject: Strange Traffic..

Hello Guys,
      Our DNS servers have been getting a lot of strange traffic from
a couple of IP addresses allocated to the Social Security

Here is a tcpdump , I did one one of our DNS servers.

07:00:35.988875 > dns1.domain: 45115 (35)
07:00:35.989564 dns1.domain > 45115 0/2/1 (100) (DF)
07:00:56.992344 dns1.domain > 29865 1/2/1 (116) (DF)
07:00:56.994509 > dns1.domain: 53859 (35)
07:00:56.994757 > dns1.domain: 13471 (35)
07:00:56.995297 dns1.domain > 53859 1/2/1 (116) (DF)
07:00:56.995963 dns1.domain > 13471 1/2/1 (116) (DF)

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: