I first noticed odd probes not too long after h.gtld-servers.net went
online (yes, I meant H and not I). I use the ARIS security focus stuff
as a sanity check (i.e. if I'm the only one seeing something, not a big
deal).
I see listed "Total Incidents: 6372, System Cumulative Incidents: 6372,
Other Affected ARIS Users: 32" for 192.36.144.133. Hey, a little bit of
this could be some kid out of school using nmap to spoof, except that
they are valid (sort of) queries, and they just look ODD. Below is a
snort sample (yes, it's always to port 8708, which is indeed bound to
named):
[**] IDS03 - MISC-Traceroute UDP [**]
06/15-01:38:06.209014 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800
len:0x9A
192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18065
Len: 120
57 F0 80 00 00 01 00 00 00 02 00 02 03 52 53 31 W............RS1
04 41 52 49 4E 03 4E 45 54 00 00 01 00 01 C0 10 .ARIN.NET.......
00 02 00 01 00 02 A3 00 00 0D 03 52 49 50 03 50 ...........RIP.P
53 47 03 43 4F 4D 00 C0 10 00 02 00 01 00 02 A3 SG.COM..........
00 00 0D 03 52 53 30 06 4E 45 54 53 4F 4C C0 32 ....RS0.NETSOL.2
C0 2A 00 01 00 01 00 02 A3 00 00 04 93 1C 00 27 .*.............'
C0 43 00 01 00 01 00 02 A3 00 00 04 D8 A8 E0 CE .C..............
[**] IDS03 - MISC-Traceroute UDP [**]
06/15-08:12:23.098548 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800
len:0x20F
192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18918
Len: 493
8A 48 80 00 00 01 00 01 00 0C 00 0C 04 44 4E 53 .H...........DNS
34 02 43 50 04 4D 53 46 54 03 4E 45 54 00 00 01 4.CP.MSFT.NET...
00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 CF 2E ................
8A 0B C0 14 00 02 00 01 00 02 A3 00 00 07 04 44 ...............D
4E 53 32 C0 11 C0 14 00 02 00 01 00 02 A3 00 00 NS2.............
07 04 44 4E 53 31 C0 11 C0 14 00 02 00 01 00 02 ..DNS1..........
A3 00 00 0A 04 44 4E 53 31 02 54 4B C0 14 C0 14 .....DNS1.TK....
00 02 00 01 00 02 A3 00 00 07 04 44 4E 53 32 C0 ...........DNS2.
69 C0 14 00 02 00 01 00 02 A3 00 00 0A 04 44 4E i.............DN
53 33 02 55 4B C0 14 C0 14 00 02 00 01 00 02 A3 S3.UK...........
00 00 07 04 44 4E 53 34 C0 92 C0 14 00 02 00 01 ....DNS4........
00 02 A3 00 00 0A 04 44 4E 53 33 02 4A 50 C0 14 .......DNS3.JP..
C0 14 00 02 00 01 00 02 A3 00 00 07 04 44 4E 53 .............DNS
34 C0 BB C0 14 00 02 00 01 00 02 A3 00 00 0A 04 4...............
44 4E 53 31 02 44 43 C0 14 C0 14 00 02 00 01 00 DNS1.DC.........
02 A3 00 00 07 04 44 4E 53 32 C0 E4 C0 14 00 02 ......DNS2......
00 01 00 02 A3 00 00 0A 04 44 4E 53 31 02 53 4A .........DNS1.SJ
C0 14 C0 14 00 02 00 01 00 02 A3 00 00 07 04 44 ...............D
4E 53 32 C1 0D C0 3E 00 01 00 01 00 02 A3 00 00 NS2...>.........
04 CF 2E 8A 15 C0 51 00 01 00 01 00 02 A3 00 00 ......Q.........
04 CF 2E 8A 14 C0 64 00 01 00 01 00 02 A3 00 00 ......d.........
04 CF 2E E8 25 C0 7A 00 01 00 01 00 02 A3 00 00 ....%.z.........
04 CF 2E E8 26 C0 8D 00 01 00 01 00 02 A3 00 00 ....&...........
04 D5 C7 90 97 C0 A3 00 01 00 01 00 02 A3 00 00 ................
04 D5 C7 90 98 C0 B6 00 01 00 01 00 02 A3 00 00 ................
04 CF 2E 48 7B C0 CC 00 01 00 01 00 02 A3 00 00 ...H{...........
04 CF 2E 48 7C C0 DF 00 01 00 01 00 02 A3 00 00 ...H|...........
04 CF 44 80 97 C0 F5 00 01 00 01 00 02 A3 00 00 ..D.............
04 CF 44 80 98 C1 08 00 01 00 01 00 02 A3 00 00 ..D.............
04 CF 2E 61 0B C1 1E 00 01 00 01 00 02 A3 00 00 ...a............
04 CF 2E 61 0C ...a.
Any suggestions? I'm just plain baffled. Oh, and I now have tcpdump
running, just waiting for any further stuff from it. Hey, if you can't
trust the (sub)root servers, who can you trust?
--
When explaining a command, or language feature, or hardware widget,
first describe the problem it is designed to solve.
David Martin
This archive was generated by hypermail 2b30 : Sun Jun 17 2001 - 12:31:20 PDT