This may be an example of DNS triangulation servers testing round trip time to you server. Several companies sell hardware/software that attempts to find the nearest web mirror site to a client by sending thse packets from the mirrors to get response. times. Here is a response I got when I sent a complaint to one such server's owners. Date: Wed, 2 May 2001 15:21:09 -0700 From: EAI <eaiat_private> To: "'Arisat_private'" <Arisat_private> Subject: {EAI#062-681} Questions regarding 209.67.29.8 Hello, The IP address you listed below is currently in use by USA Today. Here is the explanation for the traffic http://www.usatoday.com/dns.htm. If you have any more questions, email Raul Miller (raulat_private) Thanks, "DeCamp, Paul" <PDeCampat_private> on 05/24/2001 14:33:28 To: "INCIDENTS (E-mail)" <incidentsat_private> cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: SYN/ACK to port 53 OK, this is beginning to drive me nuts. Since about February of this year, our firewall has been periodically hit with what can only be a probe, attack, whatever to port 53. Every time the scan exhibits the same behavior and is from the same set of IP addresses. A SYN/ACK packet is sent to TCP port 53. No SYN was sent from our system. The SYN & ACK sequence numbers appear to be random, but the ACK is always 1 less than the SYN. Our system responds with a RST to the ACK. I have searched books, the Internet (SANS, SecuityFocus, etc.), and while I have found other reports of somewhat-simlar activity, I have to this day found no coherent explanation as to what this is. Based on the SYN/ACK numbers, this is obviously some sort of malformed packet, but to what purpose? To spoof our system into thinking that it has sent a SYN when it hasn't? Is it a type of SYN flood? To hijack a port on our system? A scan for some trojan? Any assistance would be appreciated, and better yet, any advice as to where on the Internet is a good location for looking up such obviously abnormal activity and what possible explanations may be. Thanks. ------------------ Paul DeCamp, IT Operations Lead MedManage Systems Inc. Voice: (425) 354-2212 E-Mail: PDeCampat_private
This archive was generated by hypermail 2b30 : Fri May 25 2001 - 09:51:25 PDT