Re: Weird DNS scans

From: John Hall (j.hallat_private)
Date: Fri Oct 05 2001 - 15:51:46 PDT

  • Next message: leon: "RE: new pop3 exploit out?"

    Richard Smith wrote:
    > Can you post a sanitized dump of the scan?
    
    Yes, please.  We'd be very interested.
    
    > Are the source ports incrementing by one and scanning port 53?
    > This is a common trait of BigIP it gathers RTT and
    > other stats so that it can properly route you to the
    > least loaded server via local load-balancing.
    
    The BIG-IP, when used in conjunction with an F5 3-DNS global load
    balancer, will collect RTT (round trip time) information and some
    other metrics which are returned to the 3-DNS so it can do *global*
    load balancing.  Once the hostname has been resolved to a virtual
    server at an appropriate data-center and a connection is opened,
    then the BIG-IP *locally* load balances the connection.
    
    Current (up to a year old) software should be using RTT measurements
    that are much less detectable (or at least ring fewer alarms).  One
    indicator that the scan is an RTT measurement is that the packets
    will come in groups of three with the ID field of the packet set
    to 1, then 2, then 3.
    
    > The only concern I might have is the fact that IRC is
    > reported as listening on port 6667. 
    
    I'd be VERY concerned.  No BIG-IP should have that port open
    by default.  It is possible someone has configured their BIG-IP
    to pass traffic on that port in to another host, or has created
    a virtual server on that port for some purpose.
    
    Generally, a BIG-IP or 3-DNS that was doing RTT measurements would
    also show that something was listening on port 4353, so I'd
    conclude these are not BIG-IP's (and without port 53, definitely
    not 3-DNS's).  It is possible the port 6667 indication is coming
    from something on Seth's network (such as a firewall blocking port
    6667) rather than from the remote host?
    
    > It could be a compromised host. BigIP uses a modified version of
    > FreeBSD.
    
    BIG-IP uses a custom version of BSDI.
    
    > R/
    > 
    > Richard Smith
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 11:18:25 PDT