Re: Is there a new DNS exploit?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 06/21/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Fri, 21 Jun 2002 06:40:28 +0000 (UTC)


[ Part 2/2 ]

< Sak Wathanasin

>The src addresses are probably spoofed. Anyone else seeing this,

Subject: New DNS connection with SYN ACK
Date: 11 Jan 2002 16:50:59 -0000
From: Jerry Perser <jerry.perser@spirentcom.com>
Message-ID: <20020111165059.9734.qmail@mail.securityfocus.com>
To: incidents@securityfocus.com
LEN=44 TOS=0x00 PREC=0x00 ID=0 PROTO=TCP SPT=high DPT=53 WINDOW=4128
RES=0x00 ACK SYN URGP=0, DF flag is not set. 19 unique source IP.
128.121.10.146* 128.242.105.34 129.250.244.10* 193.148.15.128
194.205.125.26 194.213.64.150* 202.139.133.129* 203.194.166.182*
203.81.45.254* 216.220.39.42 216.33.35.214* 216.34.68.2*
216.35.167.58* 62.23.80.2 62.26.119.34 64.14.200.154
64.37.200.46 64.56.174.186 64.78.235.14
since they began appearing in Feb-March 2001. global load balancers.
get a round trip time. cisco's content-redirector software.

Subject: Spoofed scans
Date: Sun, 6 Jan 2002 12:41:11 +0100 (CET)
From: Richard Arends <richard@unixguru.nl>
Message-ID: <Pine.BSO.4.33.0201061240290.20705-100000@mail.unixguru.nl>
To: <incidents@securityfocus.com>
All scans are icmp or port 53 (domain). Mostly 'they' first send a few
icmp packets and then a scan for port 53 trying to do a reverse lookup
for my ip.

Subject: ICMP Src IP = Dst IP (not a Land attack)
Date: 21 Feb 2002 18:41:33 -0000
From: <mtoren@hotmail.com>
Message-ID: <20020221184133.30589.qmail@mail.securityfocus.com>
To: incidents@securityfocus.com
Arrowpoint (Cisco CSS) load balancer. There are two different IP ID
numbers for the six alerts. There are also two different data payloads,
but notice that the payloads and IP ID number do not match for all of
the alerts (i.e. the first and last alert have the same IP ID, but a
different payload).

http://www.geocrawler.com/archives/3/303/2001/4/150/5628582/
http://www.coyotepoint.com/ "Envoy Coyote Equalizer"
It works by delegating DNS for a specific hostname then calculates the
best possible location and serves up that IP. That DNS then queries the
SOA for the 'bfast.com' domain which in turn directs it to one of them.
Then uses the IP of the user's local DNS to calculate the best geographical
location. This is where the ping is attempted. If the ping is unsuccessful,
a default site is used. Please note that because we have multiple sites
for redundancy, a ping may be generated from each site in order to
determine the "closest" site. One look-up may generate several from the
system (two from each site). Your local DNS should cache this IP for
several minutes before another look-up is required.

bigip.com akamai.com bfast.com exodus.net

comp.security.firewalls "Misconfigured DNS, firewall too tight or
(spoofed?) attack?"

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7