I've seen lots of dns MX record requests whenever I post to a debian list. There are literally hundreds of requests. Usually on the order of 700-900 each time. They are full MX record requests. This is relatively new. I'm wondering if a default configuration has changed such that MX records are looked up for incomming mail. It also could be something else. "Keith.Morgan" wrote: > > We've been seeing these as well. But not just to personal firewalls. I've > seen them on cable modems, dsl lines, and corporate T-1's. > > I'm cross-posting this because I've seen references to this type of activity > on multiple lists. > > I'm a bit baffled by this. The source port is always 53, with a random > destination port. And they appear to be replies to me as well. A > possibility is that we're being used as decoy addresses in some sort of > scanning. However, since the addresses are *SO* random, this tends to rule > out nmap as a scanner using --randomize-hosts. Nmap will randomize, but > when fed a really large network block to scan, it will scan within three or > so class C networks at a time. > > Are there other scanning tools with the ability to use spoofed decoy > addresses, yet provide better randomization than nmap when scanning? > > Keith T. Morgan > Chief of Information Security > Terradon Communications > keith.morganat_private > 304-755-8291 x142 > > > > -----Original Message----- > > From: Ben Alexander [mailto:balexanderat_private] > > Sent: Monday, May 14, 2001 10:25 AM > > To: 'n9ubhat_private' > > Cc: 'focus-linuxat_private' > > Subject: RE: DNS Floods to personal firewalls > > > > > > I received these as well, and I know a few others that > > receive them also. > > Using arin whois, here is what I put together: > > > > [140.239.176.162/17221] HarvardNet > > [165.121.70.75/64551] Earthlink > > [194.205.125.26/41123] European Regional Internet Registry > > [194.213.64.150/47642] European Regional Internet Registry > > [202.139.133.129/41595] Asia Pacific Network Information Center > > [203.194.166.182/38808] Asia Pacific Network Information Center > > [203.208.128.70/12235] Asia Pacific Network Information Center > > [207.55.138.206/61929] "Verio, Inc." > > [208.184.162.71/53567] Abovenet Communications > > [209.249.97.40/45714] Abovenet Communications > > [212.23.225.98/57974] European Regional Internet Registry > > [212.78.160.237/29368] European Regional Internet Registry > > [216.220.39.42/21602] "Myna Communications, Inc." > > [216.33.35.214/21092] Exodus Communications > > [216.34.68.2/45906] Exodus Communications > > [216.35.167.58/32470] Exodus Communications > > [62.23.80.2/55543] European Regional Internet Registry > > [62.26.119.34/56523] European Regional Internet Registry > > [63.209.147.246/54734] Level 3 Communications > > [64.14.200.154/32735] Exodus Communications > > [64.37.200.46/65042] Exodus Communications > > [64.56.174.186/14237] Exodus Communications > > [64.78.235.14/17768] "Verado, Inc. (Firstworld Communications)" > > > > > -----Original Message----- > > > From: ssratat_private [mailto:ssratat_private] > > > Sent: Sunday, May 06, 2001 10:24 PM > > > To: FOCUS-LINUXat_private > > > Subject: DNS Floods to personal firewalls > > > > > > > > > There seems to be lots of these happening. They appear to be some > > > kind of DNS replies, but are getting rejected by the > > firewall - these > > > reports are coming from the Linux Router Project (LRP) list. > > > > > > I've asked for a tcpdump to be sent, as I've not seen > > these; could it > > > be a DNS server somewhere was taken over, or some kind of > > attack tool > > > generates the same spoofed addresses? > > > > > > So far the main report details are the reject lines from ipchains in > > > /var/logs/messages. > > > > > > Here is a portion one person posted: > > > > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 208.184.162.71:34387 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 202.139.133.129:47571 203.59.110.14:53 L=44 S=0x00 I=0 > > F=0x0000 T=241 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 203.208.128.70:16146 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=247 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 194.205.125.26:42786 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=242 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 209.249.97.40:34126 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 216.33.35.214:15928 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 140.239.176.162:11843 203.59.110.14:53 L=44 S=0x00 I=0 > > F=0x0000 T=237 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 216.34.68.2:38839 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 207.55.138.206:24678 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=238 > > > (#37) > > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 > > > 216.35.167.58:24169 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 > > > (#37) > > > > > > He has the entire thing in an URL: > > > http://members.iinet.net.au/~paulhng/lrp/kernlog.txt > > > > > > It also appears that the same IPs are reported over and over again. > > > It has the markings of some kind of tool I think - but I'm new at > > > this. -- | Bryan Andersen | bryanat_private | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 11:01:23 PDT