I recently noticed significant bursts of tcp traffic to my firewall (always a hundred or so requests in a burst from roughly the same set of hosts) which are dropped because the firewall sees them as "unknown established TCP packets". I was able to get some relevant information from this mail list in an old thread from October 2000 ("TCP Connections to port 1024 - DDoS?"), and so am posting to this list to see if anyone can enlighten me or point me in the right direction. In the previous thread, there were a list of hosts supplied, and mine (shown below) are roughly the same:
140.239.176.162 42.39.220-216.q9.net
194.205.125.26 62.26.119.34
202.139.133.129 63.209.147.246
203.194.166.182 64.14.200.154
203.208.128.70 64.37.200.46
208.184.162.71.mirror-image.com 64.56.174.186
212.23.225.98 64.78.235.14
216.33.35.214 S12-0-0-MAD-IA27AR01.ams.nl.COLT.NET
216.34.68.2 host.2.80.23.62.rev.coltfrance.com
216.34.68.2 mirror-image.com
216.35.167.58 mirrorimage-gw.dlls.tx.verio.net
There was some discussion about whether this was a DDoS, but a later submission stated that this was used (at least in some cases) on port 1024 as an rtt mechanism and was normal behavior for the global load balancing implemented by mirror-image for their customers using the Cisco Distributed Director. What is different for me is that these packets are arriving on port 53 (rather than 1024). The TCP flags are always SYN/ACK. The DNS portion of the packet appears to be empty.
I suppose that most of these addresses are intentionally not registered for reverse DNS resolution, though a meaningful name and contact might help people get a clue as to what is going on. When I look some of them up on Whois they are indeed worldwide, and some are reserved by mirror-image.
Any help would be appreciated regarding:
- any pointers to good information relating to this
- whether this is definitely load balancing activity
- whether it should be expected on port 53 or 1024
- how many schemes/suppliers/implementations there are of this sort of thing
Some sample traces from snoop are below:
1 0.00000 216.35.167.58 -> x.x.x.x ETHER Type=0800 (IP), size = 60 bytes
1 0.00000 216.35.167.58 -> x.x.x.x IP D=x.x.x.x S=216.35.167.58 LEN=44, ID=0
1 0.00000 216.35.167.58 -> x.x.x.x TCP D=53 S=24567 Syn Ack=655589674 Seq=655589675 Len=0 Win=4128 Options=<mss 536>
1 0.00000 216.35.167.58 -> x.x.x.x DNS C port=24567
DNS: ----- DNS: -----
DNS:
DNS: ""
DNS:
________________________________
2 0.00892 216.33.35.214 -> x.x.x.x ETHER Type=0800 (IP), size = 60 bytes
2 0.00892 216.33.35.214 -> x.x.x.x IP D=x.x.x.x S=216.33.35.214 LEN=44, ID=0
2 0.00892 216.33.35.214 -> x.x.x.x TCP D=53 S=11645 Syn Ack=239568583 Seq=239568584 Len=0 Win=4128 Options=<mss 536>
2 0.00892 216.33.35.214 -> x.x.x.x DNS C port=11645
________________________________
3 0.00159 mirrorimage-gw.dlls.tx.verio.net -> x.x.x.x ETHER Type=0800 (IP), size = 60 bytes
3 0.00159 mirrorimage-gw.dlls.tx.verio.net -> x.x.x.x IP D=x.x.x.x S=207.55.138.206 LEN=44, ID=0
3 0.00159 mirrorimage-gw.dlls.tx.verio.net -> x.x.x.x TCP D=53 S=54847 Syn Ack=542170205 Seq=542170206 Len=0 Win=4128 Options=<mss 536>
3 0.00159 mirrorimage-gw.dlls.tx.verio.net -> x.x.x.x DNS C port=54847
Many Thanks.
---
Tom Suhrstedt
Sowilo Networks
office: (443) 259-6910
tsuhrstedtat_private
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 08:44:51 PDT