What is up with i.gtld-servers.net?

From: Etaoin Shrdlu (shrdluat_private)
Date: Fri Jun 15 2001 - 10:29:39 PDT

  • Next message: Kurt Seifried: "Re: Huge outgoing ICMP flows"

    I first noticed odd probes not too long after h.gtld-servers.net went
    online (yes, I meant H and not I). I use the ARIS security focus stuff
    as a sanity check (i.e. if I'm the only one seeing something, not a big
    deal).
    
    I see listed "Total Incidents: 6372, System Cumulative Incidents: 6372,
    Other Affected ARIS Users: 32" for 192.36.144.133. Hey, a little bit of
    this could be some kid out of school using nmap to spoof, except that
    they are valid (sort of) queries, and they just look ODD. Below is a
    snort sample (yes, it's always to port 8708, which is indeed bound to
    named):
    
    [**] IDS03 - MISC-Traceroute UDP [**]
    06/15-01:38:06.209014 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800
    len:0x9A
    192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18065 
    Len: 120
    57 F0 80 00 00 01 00 00 00 02 00 02 03 52 53 31  W............RS1
    04 41 52 49 4E 03 4E 45 54 00 00 01 00 01 C0 10  .ARIN.NET.......
    00 02 00 01 00 02 A3 00 00 0D 03 52 49 50 03 50  ...........RIP.P
    53 47 03 43 4F 4D 00 C0 10 00 02 00 01 00 02 A3  SG.COM..........
    00 00 0D 03 52 53 30 06 4E 45 54 53 4F 4C C0 32  ....RS0.NETSOL.2
    C0 2A 00 01 00 01 00 02 A3 00 00 04 93 1C 00 27  .*.............'
    C0 43 00 01 00 01 00 02 A3 00 00 04 D8 A8 E0 CE  .C..............
    
    [**] IDS03 - MISC-Traceroute UDP [**]
    06/15-08:12:23.098548 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800
    len:0x20F
    192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18918 
    Len: 493
    8A 48 80 00 00 01 00 01 00 0C 00 0C 04 44 4E 53  .H...........DNS
    34 02 43 50 04 4D 53 46 54 03 4E 45 54 00 00 01  4.CP.MSFT.NET...
    00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 CF 2E  ................
    8A 0B C0 14 00 02 00 01 00 02 A3 00 00 07 04 44  ...............D
    4E 53 32 C0 11 C0 14 00 02 00 01 00 02 A3 00 00  NS2.............
    07 04 44 4E 53 31 C0 11 C0 14 00 02 00 01 00 02  ..DNS1..........
    A3 00 00 0A 04 44 4E 53 31 02 54 4B C0 14 C0 14  .....DNS1.TK....
    00 02 00 01 00 02 A3 00 00 07 04 44 4E 53 32 C0  ...........DNS2.
    69 C0 14 00 02 00 01 00 02 A3 00 00 0A 04 44 4E  i.............DN
    53 33 02 55 4B C0 14 C0 14 00 02 00 01 00 02 A3  S3.UK...........
    00 00 07 04 44 4E 53 34 C0 92 C0 14 00 02 00 01  ....DNS4........
    00 02 A3 00 00 0A 04 44 4E 53 33 02 4A 50 C0 14  .......DNS3.JP..
    C0 14 00 02 00 01 00 02 A3 00 00 07 04 44 4E 53  .............DNS
    34 C0 BB C0 14 00 02 00 01 00 02 A3 00 00 0A 04  4...............
    44 4E 53 31 02 44 43 C0 14 C0 14 00 02 00 01 00  DNS1.DC.........
    02 A3 00 00 07 04 44 4E 53 32 C0 E4 C0 14 00 02  ......DNS2......
    00 01 00 02 A3 00 00 0A 04 44 4E 53 31 02 53 4A  .........DNS1.SJ
    C0 14 C0 14 00 02 00 01 00 02 A3 00 00 07 04 44  ...............D
    4E 53 32 C1 0D C0 3E 00 01 00 01 00 02 A3 00 00  NS2...>.........
    04 CF 2E 8A 15 C0 51 00 01 00 01 00 02 A3 00 00  ......Q.........
    04 CF 2E 8A 14 C0 64 00 01 00 01 00 02 A3 00 00  ......d.........
    04 CF 2E E8 25 C0 7A 00 01 00 01 00 02 A3 00 00  ....%.z.........
    04 CF 2E E8 26 C0 8D 00 01 00 01 00 02 A3 00 00  ....&...........
    04 D5 C7 90 97 C0 A3 00 01 00 01 00 02 A3 00 00  ................
    04 D5 C7 90 98 C0 B6 00 01 00 01 00 02 A3 00 00  ................
    04 CF 2E 48 7B C0 CC 00 01 00 01 00 02 A3 00 00  ...H{...........
    04 CF 2E 48 7C C0 DF 00 01 00 01 00 02 A3 00 00  ...H|...........
    04 CF 44 80 97 C0 F5 00 01 00 01 00 02 A3 00 00  ..D.............
    04 CF 44 80 98 C1 08 00 01 00 01 00 02 A3 00 00  ..D.............
    04 CF 2E 61 0B C1 1E 00 01 00 01 00 02 A3 00 00  ...a............
    04 CF 2E 61 0C                                   ...a.
    
    Any suggestions? I'm just plain baffled. Oh, and I now have tcpdump
    running, just waiting for any further stuff from it. Hey, if you can't
    trust the (sub)root servers, who can you trust?
    
    --
    When explaining a command, or language feature, or hardware widget,
    first describe the problem it is designed to solve.
                  David Martin
    



    This archive was generated by hypermail 2b30 : Sun Jun 17 2001 - 12:31:20 PDT