Last night, I could observe a pattern similar (but not identical!) to the one you report: There was a whole slew of TCP packets to port 53, all with the SYN and ACK bits set. (These packets were cought by the stateful packet filter of linux 2.4.) I looked the list of source IP addresses you compiled, and found that 21 of them are occuring in my logs, too. The same characteristic also applies to the logs at http://members.iinet.net.au/~paulhng/lrp/kernlog.txt which David posted, and which are 10 days old. (!) On de.comp.security.firewall, "Michael Linke" <mlat_private> has been talking about what he describes as "little DDoS attacks (20-30 clients) with SYN ACK packets to port 53", which looks like he is seeing the same activities we are observing. My own logs are attached. Also, here's a summary of the IP addresses and where they occur. keith means that the address was in your list, tifa means that it was in kernlog.txt (it's the host name there), and sobolev means that it was in my logs (host name once again). 140.239.176.162 keith sobolev tifa 165.121.70.75 keith * 194.205.125.26 keith sobolev tifa 194.213.64.150 keith sobolev tifa 202.139.133.129 keith sobolev tifa 203.194.166.182 keith sobolev tifa 203.208.128.70 keith sobolev tifa 207.55.138.206 keith sobolev tifa 208.184.162.71 keith sobolev tifa 209.249.97.40 keith sobolev tifa 212.23.225.98 keith sobolev tifa 212.78.160.237 keith tifa * 212.78.164.193 sobolev * 216.220.39.42 keith sobolev tifa 216.33.35.214 keith sobolev tifa 216.34.68.2 keith sobolev tifa 216.35.167.58 keith sobolev tifa 62.23.80.2 keith sobolev tifa 62.26.119.34 keith sobolev tifa 63.209.147.246 keith sobolev tifa 64.14.200.154 keith sobolev tifa 64.37.200.46 keith sobolev tifa 64.56.174.186 keith sobolev tifa 64.78.235.14 keith sobolev tifa Note, in particular, that a whole lot of these addresses are occuring in all three log files. However, one IP only occured on sobolev, one IP is only included with Keith's list, and one IP was observed by Keith and on tifa, but not on sobolev. Anyway, I don't have any conclusions to offer on this, but maybe soemone else can offer reasonable ideas. On 2001-05-15 09:50:06 -0400, Keith.Morgan wrote: >Mailing-List: contact incidents-helpat_private; run by ezmlm >From: "Keith.Morgan" <Keith.Morganat_private> >To: "'focus-linuxat_private'" <focus-linuxat_private> >Cc: "'incidentsat_private'" <incidentsat_private> >Subject: RE: DNS Floods to personal firewalls >Date: Tue, 15 May 2001 09:50:06 -0400 >X-Mailer: Internet Mail Service (5.5.2650.21) > >We've been seeing these as well. But not just to personal firewalls. I've >seen them on cable modems, dsl lines, and corporate T-1's. > >I'm cross-posting this because I've seen references to this type of activity >on multiple lists. > >I'm a bit baffled by this. The source port is always 53, with a random >destination port. And they appear to be replies to me as well. A >possibility is that we're being used as decoy addresses in some sort of >scanning. However, since the addresses are *SO* random, this tends to rule >out nmap as a scanner using --randomize-hosts. Nmap will randomize, but >when fed a really large network block to scan, it will scan within three or >so class C networks at a time. > >Are there other scanning tools with the ability to use spoofed decoy >addresses, yet provide better randomization than nmap when scanning? > >Keith T. Morgan >Chief of Information Security >Terradon Communications >keith.morganat_private >304-755-8291 x142 > > >> -----Original Message----- >> From: Ben Alexander [mailto:balexanderat_private] >> Sent: Monday, May 14, 2001 10:25 AM >> To: 'n9ubhat_private' >> Cc: 'focus-linuxat_private' >> Subject: RE: DNS Floods to personal firewalls >> >> >> I received these as well, and I know a few others that >> receive them also. >> Using arin whois, here is what I put together: >> >> [140.239.176.162/17221] HarvardNet >> [165.121.70.75/64551] Earthlink >> [194.205.125.26/41123] European Regional Internet Registry >> [194.213.64.150/47642] European Regional Internet Registry >> [202.139.133.129/41595] Asia Pacific Network Information Center >> [203.194.166.182/38808] Asia Pacific Network Information Center >> [203.208.128.70/12235] Asia Pacific Network Information Center >> [207.55.138.206/61929] "Verio, Inc." >> [208.184.162.71/53567] Abovenet Communications >> [209.249.97.40/45714] Abovenet Communications >> [212.23.225.98/57974] European Regional Internet Registry >> [212.78.160.237/29368] European Regional Internet Registry >> [216.220.39.42/21602] "Myna Communications, Inc." >> [216.33.35.214/21092] Exodus Communications >> [216.34.68.2/45906] Exodus Communications >> [216.35.167.58/32470] Exodus Communications >> [62.23.80.2/55543] European Regional Internet Registry >> [62.26.119.34/56523] European Regional Internet Registry >> [63.209.147.246/54734] Level 3 Communications >> [64.14.200.154/32735] Exodus Communications >> [64.37.200.46/65042] Exodus Communications >> [64.56.174.186/14237] Exodus Communications >> [64.78.235.14/17768] "Verado, Inc. (Firstworld Communications)" >> >> > -----Original Message----- >> > From: ssratat_private [mailto:ssratat_private] >> > Sent: Sunday, May 06, 2001 10:24 PM >> > To: FOCUS-LINUXat_private >> > Subject: DNS Floods to personal firewalls >> > >> > >> > There seems to be lots of these happening. They appear to be some >> > kind of DNS replies, but are getting rejected by the >> firewall - these >> > reports are coming from the Linux Router Project (LRP) list. >> > >> > I've asked for a tcpdump to be sent, as I've not seen >> these; could it >> > be a DNS server somewhere was taken over, or some kind of >> attack tool >> > generates the same spoofed addresses? >> > >> > So far the main report details are the reject lines from ipchains in >> > /var/logs/messages. >> > >> > Here is a portion one person posted: >> > >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 208.184.162.71:34387 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 202.139.133.129:47571 203.59.110.14:53 L=44 S=0x00 I=0 >> F=0x0000 T=241 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 203.208.128.70:16146 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=247 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 194.205.125.26:42786 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=242 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 209.249.97.40:34126 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 216.33.35.214:15928 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 140.239.176.162:11843 203.59.110.14:53 L=44 S=0x00 I=0 >> F=0x0000 T=237 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 216.34.68.2:38839 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 207.55.138.206:24678 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=238 >> > (#37) >> > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6 >> > 216.35.167.58:24169 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237 >> > (#37) >> > >> > He has the entire thing in an URL: >> > http://members.iinet.net.au/~paulhng/lrp/kernlog.txt >> > >> > It also appears that the same IPs are reported over and over again. >> > It has the markings of some kind of tool I think - but I'm new at >> > this. >> > >> > >> > -- >> > David Douthitt >> > UNIX Systems Administrator >> > HP-UX, Unixware, Linux >> > n9ubhat_private >> > >> > -- Thomas Roessler http://log.does-not-exist.org/
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 15:09:51 PDT