16/05/01 01:50:06, "Keith.Morgan" <Keith.Morganat_private> wrote: I've seen this for that last few months, about the same time there was a discussion re a Cisco product for load balancing DNS, global distributed director I think. It's always seems to occur shortly after surfing to certain web sites, Simple Nomads - Razor, and one or two of the formula 1 sites. Is it possible these aren't actually spoofed addressed, but valid DNS responses that are either mis-timed, or as above related to distributed DNS servers that the firewall isn't expecting responses from? Cheers, SteveR >We've been seeing these as well. But not just to personal firewalls. I've >seen them on cable modems, dsl lines, and corporate T-1's. > >I'm cross-posting this because I've seen references to this type of activity >on multiple lists. > >I'm a bit baffled by this. The source port is always 53, with a random >destination port. And they appear to be replies to me as well. A >possibility is that we're being used as decoy addresses in some sort of >scanning. However, since the addresses are *SO* random, this tends to rule >out nmap as a scanner using --randomize-hosts. Nmap will randomize, but >when fed a really large network block to scan, it will scan within three or >so class C networks at a time. > >Are there other scanning tools with the ability to use spoofed decoy >addresses, yet provide better randomization than nmap when scanning? > >Keith T. Morgan >Chief of Information Security >Terradon Communications >keith.morganat_private >304-755-8291 x142 > > >> -----Original Message----- >> From: Ben Alexander [mailto:balexanderat_private] >> Sent: Monday, May 14, 2001 10:25 AM >> To: 'n9ubhat_private' >> Cc: 'focus-linuxat_private' >> Subject: RE: DNS Floods to personal firewalls >> >> >> I received these as well, and I know a few others that >> receive them also. >> Using arin whois, here is what I put together: >> >> [140.239.176.162/17221] HarvardNet >> [165.121.70.75/64551] Earthlink >> [194.205.125.26/41123] European Regional Internet Registry >> [194.213.64.150/47642] European Regional Internet Registry >> [202.139.133.129/41595] Asia Pacific Network Information Center >> [203.194.166.182/38808] Asia Pacific Network Information Center >> [203.208.128.70/12235] Asia Pacific Network Information Center >> [207.55.138.206/61929] "Verio, Inc." >> [208.184.162.71/53567] Abovenet Communications >> [209.249.97.40/45714] Abovenet Communications >> [212.23.225.98/57974] European Regional Internet Registry >> [212.78.160.237/29368] European Regional Internet Registry >> [216.220.39.42/21602] "Myna Communications, Inc." >> [216.33.35.214/21092] Exodus Communications >> [216.34.68.2/45906] Exodus Communications >> [216.35.167.58/32470] Exodus Communications >> [62.23.80.2/55543] European Regional Internet Registry >> [62.26.119.34/56523] European Regional Internet Registry >> [63.209.147.246/54734] Level 3 Communications >> [64.14.200.154/32735] Exodus Communications >> [64.37.200.46/65042] Exodus Communications >> [64.56.174.186/14237] Exodus Communications >> [64.78.235.14/17768] "Verado, Inc. (Firstworld Communications)" >> >> > -----Original Message----- >> > From: ssratat_private [mailto:ssratat_private] >> > Sent: Sunday, May 06, 2001 10:24 PM >> > To: FOCUS-LINUXat_private >> > Subject: DNS Floods to personal firewalls >> > >> > >> > There seems to be lots of these happening. They appear to be some >> > kind of DNS replies, but are getting rejected by the >> firewall - these >> > reports are coming from the Linux Router Project (LRP) list. >> > >> > I've asked for a tcpdump to be sent, as I've not seen >> these; could it >> > be a DNS server somewhere was taken over, or some kind of >> attack tool >> > generates the same spoofed addresses? >> > >> > So far the main report details are the reject lines from ipchains in >> > /var/logs/messages. >> > >> > Here is a portion one person posted: >> > >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 208.184.162.71:34387 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 202.139.133.129:47571 203.59.110.14:53 L=44 S=0x00 I=0 >> F=0x0000 T=241 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 203.208.128.70:16146 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=247 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 194.205.125.26:42786 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=242 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 209.249.97.40:34126 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 216.33.35.214:15928 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 140.239.176.162:11843 203.59.110.14:53 L=44 S=0x00 I=0 >> F=0x0000 T=237 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 216.34.68.2:38839 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 207.55.138.206:24678 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=238 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 216.35.167.58:24169 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 >> > (#37) >> > >> > He has the entire thing in an URL: >> > http://members.iinet.net.au/~paulhng/lrp/kernlog.txt >> > >> > It also appears that the same IPs are reported over and over again. >> > It has the markings of some kind of tool I think - but I'm new at >> > this. >> > >> > >> > -- >> > David Douthitt >> > UNIX Systems Administrator >> > HP-UX, Unixware, Linux >> > n9ubhat_private >> > >> > > Steve Rielly Security Engineer Extranet Technologies Limited Level 3, 60 Cook St, Auckland, New Zealand P.O. Box 7726, Wellesley Street, Auckland, New Zealand Ph: +649 377 1122, Mob: 025 835530 Fax: +649 377 1109
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 08:39:01 PDT