RE: Re[2]: Strange Traffic..

From: NESTING, DAVID M (SBCSI) (dn3723@sbc.com)
Date: 11/30/01 

Message-ID: <B165A21236E7D411A8B90002A52C5871017DA52B@msgstl08.sbc.com>
From: "NESTING, DAVID M (SBCSI)" <dn3723@sbc.com>
To: "'Vinay Kudithipudi'" <kudithipudi@mail.ru>
Subject: RE: Re[2]: Strange Traffic..
Date: Fri, 30 Nov 2001 10:56:33 -0600

I didn't say the *incident* was normal, I just said the nature of the
*traffic* looked normal. Yah I would say it isn't very normal for an
external host to be banging away on a name server doing DNS lookups every
few seconds for 4 days. :)

But this is more likely to be:

a) a run-away process on your end making traffic to their network (and
somehow triggering reverse lookups); or
b) a run-away process on their end; or
c) host(s) on their end configured with your name servers instead of their
own (relocated equipment?)

Without knowing the nature of the lookups and examining the host(s) making
the requests and/or the host(s) on your side that they're looking up, I
don't know that we'll be able to easily figure out the cause of this.

Or I guess it could be some kind of weird DoS attack. If you can't nail
down a possible cause on your end you might try contacting them.

David

-----Original Message-----
From: Vinay Kudithipudi [mailto:kudithipudi@hotbox.ru]
Sent: Thursday, November 29, 2001 11:07 PM
To: NESTING, DAVID M (SBCSI)
Cc: incidents@securityfocus.com
Subject: Re[2]: Strange Traffic..

Hello DAVID,
    Thanks for the detailed analysis/explanation. You guys are awesome
on this mailing list. I don't think it is normal traffic since we have
been hit by this traffic for 4 days already [And is continuing a we
speak] . And also if it was a normal DNS lookup, why would we be
getting so many requests. Even though we are a pretty big company, I
don't see us generating so many lookups.

   As for your request to to send some packet dumps. I would be more
than happy to , if I knew how :). Any way you can tell me how to do
some packet dumps? Thanks everyone for the replies. 

-- 
Best regards,
 Vinay                            mailto:kudithipudi@hotbox.ru

Thursday, November 29, 2001, 11:06:55 AM, you wrote:

NDMS> What do you see that's unusual about this traffic?  It looks like
maybe this
NDMS> system is just doing a large number of DNS lookups via your name
server?
NDMS> The 0/2/1 implies a non-authoritative response to one of their
requests.

NDMS> Could be that someone on their end is doing a mass reverse-lookup
against a
NDMS> block of your IP addresses, or a vulnerability scan that includes
looking up
NDMS> the hostname of the systems it hits?  Maybe the increased load on your
NDMS> systems is due to these effects instead of the DNS lookups.  I
wouldn't
NDMS> expect the frequency/number of requests below to cause significant
problems
NDMS> for your servers.

NDMS> This could be the effect of 3rd-party SMTP relaying also.  If someone
on
NDMS> your network (or another broken mail server on your network) is
relaying
NDMS> massive amounts of e-mail though their mail servers, it's possible
their
NDMS> systems are trying to do reverse DNS lookups on the originating IP
NDMS> address(es).  One might expect that this information would be cached,
but
NDMS> it's still possible.

NDMS> It could be anything, really, but I don't really see anything unusual
about
NDMS> the traffic you pasted.

NDMS> How long has it been running and has it stopped?  A dump of the
packets
NDMS> you're seeing might be interesting, and would at least let us see what
these
NDMS> requests are like.  Some newer versions of 'tcpdump' decode DNS
requests and
NDMS> replies.

NDMS> David

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com