Re: DNS Floods to personal firewalls

From: yves.sounat_private
Date: Thu May 17 2001 - 02:04:56 PDT

Next message: Greg Broiles: "Re: Strange email"

Previous message: mcoleman: "Re: Strange email"
In reply to: Thomas Roessler: "Re: DNS Floods to personal firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This traffic appears to be the result of an RTT measurement which 
involve mirror-image servers. According to Mirror-image, a load 
balancer (Cisco's Distributed Director) is used.

More on DRP-RTT metric: 
http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm


I see all the nodes quoted in following list except 165.121.70.75 and 
212.78.164.193.

I think ACK flag and port 53 are used to bypass router's filters.


Yves Soun.


--------------- CERTA (French Governmental CSIRT) ---------------
         Phone:  (+33) 1 41 46 25 23
         Fax:    (+33) 1 41 46 37 01
         E-mail: CERTA-svpat_private
-----------------------------------------------------------------





>On 2001-05-16 11:02:29 +0200, Thomas Roessler wrote:
>
>>The same characteristic also applies to the logs at 
>>http://members.iinet.net.au/~paulhng/lrp/kernlog.txt which David 
>>posted, and which are 10 days old. (!)
>
>Asking google for a randomly selected common IP address from the 
>list, I found 
><http://my.maceast.com/homevision-u-l/ace-l/linux-router-l/%2330765452>, 
>where Nicolas Riendeau reports a similar scan which happened on 
>April 13, 2001.
>
>Taking his log file entries ("MrShield") into account, the table of 
>attackers' IP addresses looks like this now:
>
>140.239.176.162	keith	sobolev	tifa	mrshield
>165.121.70.75		keith
>194.205.125.26		keith	sobolev	tifa	mrshield
>194.213.64.150		keith	sobolev	tifa	mrshield
>202.139.133.129	keith	sobolev	tifa	mrshield
>203.194.166.182	keith	sobolev	tifa	mrshield
>203.208.128.70		keith	sobolev	tifa	mrshield
>207.55.138.206		keith	sobolev	tifa
>208.184.162.71		keith	sobolev	tifa	mrshield
>209.249.97.40		keith	sobolev	tifa	mrshield
>212.23.225.98		keith	sobolev	tifa	mrshield
>212.78.160.237		keith		tifa	mrshield
>212.78.164.193			sobolev
>216.220.39.42		keith	sobolev	tifa	mrshield
>216.33.35.214		keith	sobolev	tifa	mrshield
>216.34.68.2		keith	sobolev	tifa	mrshield
>216.35.167.58		keith	sobolev	tifa
>62.23.80.2		keith	sobolev	tifa	mrshield
>62.26.119.34		keith	sobolev	tifa	mrshield
>63.209.147.246		keith	sobolev	tifa	mrshield
>64.14.200.154		keith	sobolev	tifa
>64.37.200.46		keith	sobolev	tifa	mrshield
>64.56.174.186		keith	sobolev	tifa	mrshield
>64.78.235.14		keith	sobolev	tifa
>
>Maybe what we are seeing here are mostly decoy addresses used by 
>some tool with an extremely bad RNG?
>
>--
>Thomas Roessler                        http://log.does-not-exist.org/

Next message: Greg Broiles: "Re: Strange email"
Previous message: mcoleman: "Re: Strange email"
In reply to: Thomas Roessler: "Re: DNS Floods to personal firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 17 2001 - 08:42:55 PDT