Re: Is there a new DNS exploit?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 06/21/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Fri, 21 Jun 2002 06:40:28 +0000 (UTC)


[ Part 2/2 ]

< Sak Wathanasin

>The src addresses are probably spoofed. Anyone else seeing this,

Subject: New DNS connection with SYN ACK
Date: 11 Jan 2002 16:50:59 -0000
From: Jerry Perser <jerry.perser@spirentcom.com>
Message-ID: <20020111165059.9734.qmail@mail.securityfocus.com>
To: incidents@securityfocus.com
LEN=44 TOS=0x00 PREC=0x00 ID=0 PROTO=TCP SPT=high DPT=53 WINDOW=4128
RES=0x00 ACK SYN URGP=0, DF flag is not set. 19 unique source IP.
128.121.10.146* 128.242.105.34 129.250.244.10* 193.148.15.128
194.205.125.26 194.213.64.150* 202.139.133.129* 203.194.166.182*
203.81.45.254* 216.220.39.42 216.33.35.214* 216.34.68.2*
216.35.167.58* 62.23.80.2 62.26.119.34 64.14.200.154
64.37.200.46 64.56.174.186 64.78.235.14
since they began appearing in Feb-March 2001. global load balancers.
get a round trip time. cisco's content-redirector software.

Subject: Spoofed scans
Date: Sun, 6 Jan 2002 12:41:11 +0100 (CET)
From: Richard Arends <richard@unixguru.nl>
Message-ID: <Pine.BSO.4.33.0201061240290.20705-100000@mail.unixguru.nl>
To: <incidents@securityfocus.com>
All scans are icmp or port 53 (domain). Mostly 'they' first send a few
icmp packets and then a scan for port 53 trying to do a reverse lookup
for my ip.

Subject: ICMP Src IP = Dst IP (not a Land attack)
Date: 21 Feb 2002 18:41:33 -0000
From: <mtoren@hotmail.com>
Message-ID: <20020221184133.30589.qmail@mail.securityfocus.com>
To: incidents@securityfocus.com
Arrowpoint (Cisco CSS) load balancer. There are two different IP ID
numbers for the six alerts. There are also two different data payloads,
but notice that the payloads and IP ID number do not match for all of
the alerts (i.e. the first and last alert have the same IP ID, but a
different payload).

http://www.geocrawler.com/archives/3/303/2001/4/150/5628582/
http://www.coyotepoint.com/ "Envoy Coyote Equalizer"
It works by delegating DNS for a specific hostname then calculates the
best possible location and serves up that IP. That DNS then queries the
SOA for the 'bfast.com' domain which in turn directs it to one of them.
Then uses the IP of the user's local DNS to calculate the best geographical
location. This is where the ping is attempted. If the ping is unsuccessful,
a default site is used. Please note that because we have multiple sites
for redundancy, a ping may be generated from each site in order to
determine the "closest" site. One look-up may generate several from the
system (two from each site). Your local DNS should cache this IP for
several minutes before another look-up is required.

bigip.com akamai.com bfast.com exodus.net

comp.security.firewalls "Misconfigured DNS, firewall too tight or
(spoofed?) attack?"

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7



Relevant Pages

  • Re: Is there a new DNS exploit?
    ... >The src addresses are probably spoofed. ... New DNS connection with SYN ACK ... This is where the ping is attempted. ...
    (comp.os.linux.security)
  • Re: Page cannot be found
    ... I have been trying to help someone with a similar problem, ping of yahoo ... line "Internet Explorer Q824145 size 1.23mb used occasionally last used ... > winsock getting corrupted by installation of software can be other ... > IP address automatically", click on the DNS tab, disable DNS here, click ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: USR5637 USB modem setup (2)
    ... Good - not having those in that file breaks DNS for you. ... Avahi program. ... ping -nc2 152.46.7.80 ... Now, if this works, your setup is fine, and it's the browser that's ...
    (comp.os.linux.networking)
  • Re: Cant see out to .co.uk from inside my .local domain (forward l
    ... Well I removed the entry from my hosts file and issued a ping command to both ... network only from the server which I changed the hosts file for. ... Indeed is it even a DNS issue. ...
    (microsoft.public.windows.server.sbs)
  • Re: Multiple Domains and 1 is not working
    ... likely) in Internet Explore ... > If I ping either address: ALPHASITE.com points to the internal IP: ... but merely a DNS zone/domain name. ... You cannot have a DNS resolution point to both an internal ...
    (microsoft.public.windows.server.dns)