RE: What is up with i.gtld-servers.net?

From: Mike Batchelor (mikebatat_private)
Date: Mon Jun 18 2001 - 12:19:05 PDT

Next message: Rafael Coninck Teigao: "Strange stuff on logs, followed by reboot"

Previous message: ecofskyat_private: "Re: 2300 FTP accesses from Korea"
In reply to: Etaoin Shrdlu: "What is up with i.gtld-servers.net?"
Next in thread: Ryan Russell: "RE: What is up with i.gtld-servers.net?"
Reply: Ryan Russell: "RE: What is up with i.gtld-servers.net?"
Reply: Doc Savage: "RE: What is up with i.gtld-servers.net?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I first noticed odd probes not too long after h.gtld-servers.net went
> online (yes, I meant H and not I). I use the ARIS security focus stuff
> as a sanity check (i.e. if I'm the only one seeing something, not a big
> deal).

Nothing is up with I.gtld-servers.net.  Just because it shows up in a snort
log, or on ARIS, doesn't mean it's a probe, and doesn't even mean it's
suspicious.  Check out the other GTLD or root servers.  I bet most of them
have just as many "reports" on ARIS.

The most likely explanation is that Snort "lost state" on your outgoing DNS
queries, because I.gtld-servers.net is taking too long to answer.  So it
flagged the "unknown" UDP replies as "misc traceroute" traffic.  You need to
read IDS logs with a jaundiced eye, or you'll go crazy chasing down false
positives.

>
> I see listed "Total Incidents: 6372, System Cumulative Incidents: 6372,
> Other Affected ARIS Users: 32" for 192.36.144.133. Hey, a little bit of
> this could be some kid out of school using nmap to spoof, except that
> they are valid (sort of) queries, and they just look ODD. Below is a
> snort sample (yes, it's always to port 8708, which is indeed bound to
> named):

"Valid (sort of) queries"?  Being valid is like being pregnant, there is no
"sort-of".  What is "looks ODD" about these packets?  They look like normal
DNS replies to me.

>
> [**] IDS03 - MISC-Traceroute UDP [**]
> 06/15-01:38:06.209014 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800
> len:0x9A
> 192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18065
> Len: 120
> 57 F0 80 00 00 01 00 00 00 02 00 02 03 52 53 31  W............RS1
> 04 41 52 49 4E 03 4E 45 54 00 00 01 00 01 C0 10  .ARIN.NET.......
> 00 02 00 01 00 02 A3 00 00 0D 03 52 49 50 03 50  ...........RIP.P
> 53 47 03 43 4F 4D 00 C0 10 00 02 00 01 00 02 A3  SG.COM..........
> 00 00 0D 03 52 53 30 06 4E 45 54 53 4F 4C C0 32  ....RS0.NETSOL.2
> C0 2A 00 01 00 01 00 02 A3 00 00 04 93 1C 00 27  .*.............'
> C0 43 00 01 00 01 00 02 A3 00 00 04 D8 A8 E0 CE  .C..............
>
> [**] IDS03 - MISC-Traceroute UDP [**]
> 06/15-08:12:23.098548 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800
> len:0x20F
> 192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18918
> Len: 493
> 8A 48 80 00 00 01 00 01 00 0C 00 0C 04 44 4E 53  .H...........DNS
> 34 02 43 50 04 4D 53 46 54 03 4E 45 54 00 00 01  4.CP.MSFT.NET...
> 00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 CF 2E  ................
> 8A 0B C0 14 00 02 00 01 00 02 A3 00 00 07 04 44  ...............D
> 4E 53 32 C0 11 C0 14 00 02 00 01 00 02 A3 00 00  NS2.............
> 07 04 44 4E 53 31 C0 11 C0 14 00 02 00 01 00 02  ..DNS1..........
> A3 00 00 0A 04 44 4E 53 31 02 54 4B C0 14 C0 14  .....DNS1.TK....
> 00 02 00 01 00 02 A3 00 00 07 04 44 4E 53 32 C0  ...........DNS2.
> 69 C0 14 00 02 00 01 00 02 A3 00 00 0A 04 44 4E  i.............DN
> 53 33 02 55 4B C0 14 C0 14 00 02 00 01 00 02 A3  S3.UK...........
> 00 00 07 04 44 4E 53 34 C0 92 C0 14 00 02 00 01  ....DNS4........
> 00 02 A3 00 00 0A 04 44 4E 53 33 02 4A 50 C0 14  .......DNS3.JP..
> C0 14 00 02 00 01 00 02 A3 00 00 07 04 44 4E 53  .............DNS
> 34 C0 BB C0 14 00 02 00 01 00 02 A3 00 00 0A 04  4...............
> 44 4E 53 31 02 44 43 C0 14 C0 14 00 02 00 01 00  DNS1.DC.........
> 02 A3 00 00 07 04 44 4E 53 32 C0 E4 C0 14 00 02  ......DNS2......
> 00 01 00 02 A3 00 00 0A 04 44 4E 53 31 02 53 4A  .........DNS1.SJ
> C0 14 C0 14 00 02 00 01 00 02 A3 00 00 07 04 44  ...............D
> 4E 53 32 C1 0D C0 3E 00 01 00 01 00 02 A3 00 00  NS2...>.........
> 04 CF 2E 8A 15 C0 51 00 01 00 01 00 02 A3 00 00  ......Q.........
> 04 CF 2E 8A 14 C0 64 00 01 00 01 00 02 A3 00 00  ......d.........
> 04 CF 2E E8 25 C0 7A 00 01 00 01 00 02 A3 00 00  ....%.z.........
> 04 CF 2E E8 26 C0 8D 00 01 00 01 00 02 A3 00 00  ....&...........
> 04 D5 C7 90 97 C0 A3 00 01 00 01 00 02 A3 00 00  ................
> 04 D5 C7 90 98 C0 B6 00 01 00 01 00 02 A3 00 00  ................
> 04 CF 2E 48 7B C0 CC 00 01 00 01 00 02 A3 00 00  ...H{...........
> 04 CF 2E 48 7C C0 DF 00 01 00 01 00 02 A3 00 00  ...H|...........
> 04 CF 44 80 97 C0 F5 00 01 00 01 00 02 A3 00 00  ..D.............
> 04 CF 44 80 98 C1 08 00 01 00 01 00 02 A3 00 00  ..D.............
> 04 CF 2E 61 0B C1 1E 00 01 00 01 00 02 A3 00 00  ...a............
> 04 CF 2E 61 0C                                   ...a.
>
> Any suggestions? I'm just plain baffled. Oh, and I now have tcpdump
> running, just waiting for any further stuff from it. Hey, if you can't
> trust the (sub)root servers, who can you trust?
>
> --
> When explaining a command, or language feature, or hardware widget,
> first describe the problem it is designed to solve.
>               David Martin
>

Next message: Rafael Coninck Teigao: "Strange stuff on logs, followed by reboot"
Previous message: ecofskyat_private: "Re: 2300 FTP accesses from Korea"
In reply to: Etaoin Shrdlu: "What is up with i.gtld-servers.net?"
Next in thread: Ryan Russell: "RE: What is up with i.gtld-servers.net?"
Reply: Ryan Russell: "RE: What is up with i.gtld-servers.net?"
Reply: Doc Savage: "RE: What is up with i.gtld-servers.net?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 19:45:33 PDT