RE: Strange Traffic..

From: NESTING, DAVID M (SBCSI) (dn3723@sbc.com)
Date: 11/29/01


Message-ID: <B165A21236E7D411A8B90002A52C5871017DA516@msgstl08.sbc.com>
From: "NESTING, DAVID M (SBCSI)" <dn3723@sbc.com>
To: "'Vinay Kudithipudi'" <kudithipudi@mail.ru>
Subject: RE: Strange Traffic..
Date: Thu, 29 Nov 2001 11:06:55 -0600

What do you see that's unusual about this traffic? It looks like maybe this
system is just doing a large number of DNS lookups via your name server?
The 0/2/1 implies a non-authoritative response to one of their requests.

Could be that someone on their end is doing a mass reverse-lookup against a
block of your IP addresses, or a vulnerability scan that includes looking up
the hostname of the systems it hits? Maybe the increased load on your
systems is due to these effects instead of the DNS lookups. I wouldn't
expect the frequency/number of requests below to cause significant problems
for your servers.

This could be the effect of 3rd-party SMTP relaying also. If someone on
your network (or another broken mail server on your network) is relaying
massive amounts of e-mail though their mail servers, it's possible their
systems are trying to do reverse DNS lookups on the originating IP
address(es). One might expect that this information would be cached, but
it's still possible.

It could be anything, really, but I don't really see anything unusual about
the traffic you pasted.

How long has it been running and has it stopped? A dump of the packets
you're seeing might be interesting, and would at least let us see what these
requests are like. Some newer versions of 'tcpdump' decode DNS requests and
replies.

David

-----Original Message-----
From: Vinay Kudithipudi [mailto:kudithipudi@mail.ru]
Sent: Thursday, November 29, 2001 7:12 AM
To: incidents@securityfocus.com
Cc: focus-linux@securityfocus.com
Subject: Strange Traffic..

Hello Guys,
      Our DNS servers have been getting a lot of strange traffic from
a couple of IP addresses allocated to the Social Security
Administration.

Here is a tcpdump , I did one one of our DNS servers.

07:00:35.988875 199.173.224.20.domain > dns1.domain: 45115 (35)
07:00:35.989564 dns1.domain > 199.173.224.20.domain: 45115 0/2/1 (100) (DF)
...
07:00:56.992344 dns1.domain > 199.173.224.20.domain: 29865 1/2/1 (116) (DF)
07:00:56.994509 199.173.224.20.domain > dns1.domain: 53859 (35)
07:00:56.994757 199.173.224.20.domain > dns1.domain: 13471 (35)
07:00:56.995297 dns1.domain > 199.173.224.20.domain: 53859 1/2/1 (116) (DF)
07:00:56.995963 dns1.domain > 199.173.224.20.domain: 13471 1/2/1 (116) (DF)
...

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: DNS queries in Windows XP Professional (SP2)
    ... DNS servers configured in my network settings. ... do DNS lookups? ... It's possible that your ISP has messed up some configuration on their DNS ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ssh communication issue
    ... > Our ssh connections work fine on all our servers when we connect via ... > the -local- network. ... > displayed/echoed to the screen on our Debian servers. ... dns lookups might be the culprit. ...
    (SSH)
  • Re: RPZ and negative answers
    ... uses DNS lookups to find its C&C. ... there is no positive answer to be found out on the Internet, RPZ is ... not a suitable solution. ... NS servers for the NS servers of the evil domains? ...
    (comp.protocols.dns.bind)
  • Re: Microsoft Is Using Linux To Publish Its Own Web Site
    ... >> by Akamai but the real http servers are Microsoft's. ... > This can easily be confirmed by doing the appropriate DNS lookups, ...
    (comp.os.linux.setup)
  • Re: Microsoft Is Using Linux To Publish Its Own Web Site
    ... >> by Akamai but the real http servers are Microsoft's. ... > This can easily be confirmed by doing the appropriate DNS lookups, ...
    (comp.os.linux.hardware)