Re: Weird DNS scans

From: John Hall (j.hallat_private)
Date: Mon Oct 08 2001 - 13:34:44 PDT

  • Next message: James Weiler: "RE: new pop3 exploit out?"

    We've identified several of the sources of these packets as either
    BIG-IP's or 3-DNS's.  None of them actually have port 6667 open, so
    that looks like an artifact of some device between the host your ran
    nmap upon and the destination hosts.  Two of them are 3-DNS's operated
    by realmedia.com (3dns.east.realmedia.com and 3dns.west.realmedia.com)
    and several of the others are probably BIG-IP's operated by them as
    well.  It looks like they've modified the 3-DNS Round Trip Time probe
    settings to do five probes at a time, which some may consider excessive.
    
    I've forwarded this information to our Support group to see if we can
    help them configure their 3-DNS's to be a little less noisy.  If you
    find these probes obnoxious, you can contact them and ask them to add
    you to their 3-DNS do-not-probe list.  One thing you should understand
    is that these probes are prompted by a DNS request from your site and
    result in you getting better service from their sites.  Once you are
    on the do-not-probe list, you will most likely get poorer service from
    them.
    
    JMH
    
    Seth Milder wrote:
    >
    > BTW, I could not telnet to port 6667 FWIW.
    > 
    > Here is some of it:
    > 
    > Oct  4 19:25:41 physics kernel: Packet log: input DENY eth0 PROTO=17 61.134.9.133:26983 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=48 (#47)
    > Oct  4 19:25:41 physics kernel: Packet log: input DENY eth0 PROTO=17 61.134.9.133:26983 x.x.x.x:53 L=72 S=0x00 I=3 F=0x0000 T=48 (#47)
    ...
    > Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=1 F=0x0000 T=47 (#47)
    > Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=47 (#47)
    > Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17  61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=3 F=0x0000 T=47 (#47)
    > Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=4 F=0x0000 T=47 (#47)
    > Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=5 F=0x0000 T=47 (#47)
    > Oct  4 19:25:43 physics kernel: Packet log: input DENY eth0 PROTO=17 61.163.241.2:36633 x.x.x.x:53 L=72 S=0x00 I=1 F=0x0000 T=50 (#47)
    > Oct  4 19:25:43 physics kernel: Packet log: input DENY eth0 PROTO=17 61.163.241.2:36633 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=50 (#47)
    ...
    > --
    > Seth Milder
    > Deptartment of Physics and Astronomy
    > MS 3f3
    > George Mason University
    > Fairfax, VA
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 14:41:18 PDT