Re: Weird DNS scans

From: John Hall (j.hallat_private)
Date: Mon Oct 08 2001 - 13:34:44 PDT

Next message: James Weiler: "RE: new pop3 exploit out?"

Previous message: John Sage: "Re: port 22 scans + 53 scans"
In reply to: Seth Milder: "Re: Weird DNS scans"
Next in thread: Seth Milder: "Re: Weird DNS scans"
Reply: Seth Milder: "Re: Weird DNS scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We've identified several of the sources of these packets as either
BIG-IP's or 3-DNS's.  None of them actually have port 6667 open, so
that looks like an artifact of some device between the host your ran
nmap upon and the destination hosts.  Two of them are 3-DNS's operated
by realmedia.com (3dns.east.realmedia.com and 3dns.west.realmedia.com)
and several of the others are probably BIG-IP's operated by them as
well.  It looks like they've modified the 3-DNS Round Trip Time probe
settings to do five probes at a time, which some may consider excessive.

I've forwarded this information to our Support group to see if we can
help them configure their 3-DNS's to be a little less noisy.  If you
find these probes obnoxious, you can contact them and ask them to add
you to their 3-DNS do-not-probe list.  One thing you should understand
is that these probes are prompted by a DNS request from your site and
result in you getting better service from their sites.  Once you are
on the do-not-probe list, you will most likely get poorer service from
them.

JMH

Seth Milder wrote:
>
> BTW, I could not telnet to port 6667 FWIW.
> 
> Here is some of it:
> 
> Oct  4 19:25:41 physics kernel: Packet log: input DENY eth0 PROTO=17 61.134.9.133:26983 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=48 (#47)
> Oct  4 19:25:41 physics kernel: Packet log: input DENY eth0 PROTO=17 61.134.9.133:26983 x.x.x.x:53 L=72 S=0x00 I=3 F=0x0000 T=48 (#47)
...
> Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=1 F=0x0000 T=47 (#47)
> Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=47 (#47)
> Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17  61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=3 F=0x0000 T=47 (#47)
> Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=4 F=0x0000 T=47 (#47)
> Oct  4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=5 F=0x0000 T=47 (#47)
> Oct  4 19:25:43 physics kernel: Packet log: input DENY eth0 PROTO=17 61.163.241.2:36633 x.x.x.x:53 L=72 S=0x00 I=1 F=0x0000 T=50 (#47)
> Oct  4 19:25:43 physics kernel: Packet log: input DENY eth0 PROTO=17 61.163.241.2:36633 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=50 (#47)
...
> --
> Seth Milder
> Deptartment of Physics and Astronomy
> MS 3f3
> George Mason University
> Fairfax, VA

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: James Weiler: "RE: new pop3 exploit out?"
Previous message: John Sage: "Re: port 22 scans + 53 scans"
In reply to: Seth Milder: "Re: Weird DNS scans"
Next in thread: Seth Milder: "Re: Weird DNS scans"
Reply: Seth Milder: "Re: Weird DNS scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 14:41:18 PDT