Re: Weird DNS scans

From: John Hall (j.hallat_private)
Date: Fri Oct 05 2001 - 15:51:46 PDT

Next message: leon: "RE: new pop3 exploit out?"

Previous message: leon: "new pop3 exploit out?"
In reply to: Richard Smith: "Re: Weird DNS scans"
Next in thread: Seth Milder: "Re: Weird DNS scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Richard Smith wrote:
> Can you post a sanitized dump of the scan?

Yes, please.  We'd be very interested.

> Are the source ports incrementing by one and scanning port 53?
> This is a common trait of BigIP it gathers RTT and
> other stats so that it can properly route you to the
> least loaded server via local load-balancing.

The BIG-IP, when used in conjunction with an F5 3-DNS global load
balancer, will collect RTT (round trip time) information and some
other metrics which are returned to the 3-DNS so it can do *global*
load balancing.  Once the hostname has been resolved to a virtual
server at an appropriate data-center and a connection is opened,
then the BIG-IP *locally* load balances the connection.

Current (up to a year old) software should be using RTT measurements
that are much less detectable (or at least ring fewer alarms).  One
indicator that the scan is an RTT measurement is that the packets
will come in groups of three with the ID field of the packet set
to 1, then 2, then 3.

> The only concern I might have is the fact that IRC is
> reported as listening on port 6667. 

I'd be VERY concerned.  No BIG-IP should have that port open
by default.  It is possible someone has configured their BIG-IP
to pass traffic on that port in to another host, or has created
a virtual server on that port for some purpose.

Generally, a BIG-IP or 3-DNS that was doing RTT measurements would
also show that something was listening on port 4353, so I'd
conclude these are not BIG-IP's (and without port 53, definitely
not 3-DNS's).  It is possible the port 6667 indication is coming
from something on Seth's network (such as a firewall blocking port
6667) rather than from the remote host?

> It could be a compromised host. BigIP uses a modified version of
> FreeBSD.

BIG-IP uses a custom version of BSDI.

> R/
> 
> Richard Smith

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: leon: "RE: new pop3 exploit out?"
Previous message: leon: "new pop3 exploit out?"
In reply to: Richard Smith: "Re: Weird DNS scans"
Next in thread: Seth Milder: "Re: Weird DNS scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 11:18:25 PDT