RE: [inbox] RE: Bogus DNS traffic

• Previous message: David E. Mollico Jr: "RE: strange ftp site"
• Maybe in reply to: David Gillett: "RE: [inbox] RE: Bogus DNS traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'John Sage'" <jsage@finchhaven.com>
Date: Thu, 30 Oct 2003 09:45:29 -0800

  The handful of packets I captured all had ID "102" and
clearly bogus counts of questions/answers. I'm pretty sure
none of them looked like this.

Dave Gillett

> -----Original Message-----
> From: John Sage [mailto:jsage@finchhaven.com]
> Sent: October 30, 2003 09:24
> To: David Gillett
> Cc: incidents@securityfocus.com
> Subject: Re: [inbox] RE: Bogus DNS traffic
>
>
> David:
>
> On Fri, Oct 24, 2003 at 08:35:20AM -0700, David Gillett wrote:
> > Just to clarify:
>
> /* snip */
>
> > And to reiterate:
> >
> > Several people have suggested I check
> >
> > http://people.ists.dartmouth.edu/~gbakos/bindsweep/
> >
> > I have, and it appears to describe exactly what I'm seeing.
> > Thank you.
>
> Do you have any full packet captures?
>
> I've just been looking at some interesting UDP 53:53 traffic that
> seems to contain sets of IP address:port 53 pairs, each terminated by
> hex 0x00 viz:
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
> 10/29-07:22:27.796597 10.0.98.93:53 -> 67.119.168.10:53
> UDP TTL:127 TOS:0x0 ID:8647 IpLen:20 DgmLen:95
> Len: 75
> 05
> 43 77 A8 0A 35 00
> 51 48 11 94 35 00
> 18 46 5F .Cw..5.QH..5..F_
> CB 35 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 .5..............
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 ...
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> [jsage@sparky /storage/virii] $ 2 hd 43 77 A8 0A 35
> 67
> 119
> 168
> 10
> 53
>
> 67.119.168.10:53
>
> [jsage@sparky /storage/virii] $ host 67.119.168.10
> 10.168.119.67.in-addr.arpa domain name pointer
> adsl-67-119-168-10.dsl.frsn01.pacbell.net.
>
>
> [jsage@sparky /storage/virii] $ 2 hd 51 48 11 94 35
> 81
> 72
> 17
> 148
> 53
>
> 81.72.17.148:53
>
> [jsage@sparky /storage/virii] $ host 81.72.17.148
> 148.17.72.81.in-addr.arpa domain name pointer
> host148-17.pool8172.interbusiness.it.
>
>
> [jsage@sparky /storage/virii] $ 2 hd 18 46 5F CB 35
> 24
> 70
> 95
> 203
> 53
>
> 24.70.95.203:53
>
> Request: 24.70.95.203
> connected to whois.arin.net [192.149.252.43:43] ...
>
> OrgName: Shaw Communications Inc.
> OrgID: SHAWC
> Address: Suite 800
> Address: 630 - 3rd Ave. SW
> City: Calgary
> StateProv: AB
> PostalCode: T2P-4L4
> Country: CA
>
>
>
>
> - John
> --
> "Most people don't type their own logfiles; but, what do I care?"
> -
> John Sage: InfoSec Groupie
> -
> ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
> -
> ATTENTION: this entire message is privileged communication, intended
> for the sole use of its recipients only. If you read it even though
> you know you aren't supposed to, you're a poopy-head.
>

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

• Previous message: David E. Mollico Jr: "RE: strange ftp site"
• Maybe in reply to: David Gillett: "RE: [inbox] RE: Bogus DNS traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]