Strange Traffic..

From: Vinay Kudithipudi (kudithipudiat_private)
Date: Thu Nov 29 2001 - 05:11:51 PST

Next message: Fredrik Ostergren: "Re: any1 stumbled across eCkit ?"

Previous message: Aron_Croftat_private: "Re: New Worm similar to BadTrans.B? [Virus Checked]"
Next in thread: NESTING, DAVID M (SBCSI): "RE: Strange Traffic.."
Reply: NESTING, DAVID M (SBCSI): "RE: Strange Traffic.."
Reply: John Sage: "Re: Strange Traffic.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Guys,
      Our DNS servers have been getting a lot of strange traffic from
a couple of IP addresses allocated to the Social Security
Administration.

Here is a tcpdump , I did one one of our DNS servers.

07:00:35.988875 199.173.224.20.domain > dns1.domain: 45115 (35)
07:00:35.989564 dns1.domain > 199.173.224.20.domain: 45115 0/2/1 (100) (DF)
07:00:35.990687 199.173.224.20.domain > dns1.domain: 57781 (35)
07:00:35.991161 199.173.224.20.domain > dns1.domain: 24090 (35)
07:00:35.991449 dns1.domain > 199.173.224.20.domain: 57781 0/2/1 (100) (DF)
07:00:35.992092 dns1.domain > 199.173.224.20.domain: 24090 0/2/1 (100) (DF)
07:00:35.992483 199.173.224.20.domain > dns1.domain: 3674 (35)
07:00:35.993164 dns1.domain > 199.173.224.20.domain: 3674 0/2/1 (100) (DF)
07:00:35.995312 199.173.224.20.domain > dns1.domain: 59269 (35)
07:00:35.996013 dns1.domain > 199.173.224.20.domain: 59269 0/2/1 (100) (DF)
07:00:35.996948 199.173.224.20.domain > dns1.domain: 29342 (35)
07:00:35.997225 199.173.224.20.domain > dns1.domain: 35178 (35)
07:00:35.997587 199.173.224.20.domain > dns1.domain: 27068 (35)
07:00:35.997783 dns1.domain > 199.173.224.20.domain: 29342 0/2/1 (100) (DF)
07:00:35.998425 dns1.domain > 199.173.224.20.domain: 35178 0/2/1 (100) (DF)
07:00:35.999069 dns1.domain > 199.173.224.20.domain: 27068 0/2/1 (100) (DF)
07:00:36.006943 199.173.224.20.domain > dns1.domain: 32466 (35)
07:00:36.023249 dns1.domain > 199.173.224.20.domain: 32466 0/2/1 (100) (DF)
07:00:36.989212 199.173.224.20.domain > dns1.domain: 30761 (35)
07:00:36.989909 dns1.domain > 199.173.224.20.domain: 30761 0/2/1 (100) (DF)
07:00:36.990433 199.173.224.20.domain > dns1.domain: 48364 (35)
07:00:36.991115 dns1.domain > 199.173.224.20.domain: 48364 0/2/1 (100) (DF)
07:00:36.993719 199.173.224.20.domain > dns1.domain: 44078 (35)
07:00:36.994034 199.173.224.20.domain > dns1.domain: 27679 (35)
07:00:36.994478 dns1.domain > 199.173.224.20.domain: 44078 0/2/1 (100) (DF)
07:00:36.994849 199.173.224.20.domain > dns1.domain: 54989 (35)
07:00:36.995211 dns1.domain > 199.173.224.20.domain: 27679 0/2/1 (100) (DF)
07:00:36.995857 dns1.domain > 199.173.224.20.domain: 54989 0/2/1 (100) (DF)
07:00:37.000098 199.173.224.20.domain > dns1.domain: 36072 (35)
07:00:37.000801 dns1.domain > 199.173.224.20.domain: 36072 0/2/1 (100) (DF)
07:00:37.994128 199.173.224.20.domain > dns1.domain: 57044 (35)
07:00:37.994913 dns1.domain > 199.173.224.20.domain: 57044 1/2/1 (116) (DF)
07:00:56.991627 199.173.224.20.domain > dns1.domain: 29865 (35)
07:00:56.992344 dns1.domain > 199.173.224.20.domain: 29865 1/2/1 (116) (DF)
07:00:56.994509 199.173.224.20.domain > dns1.domain: 53859 (35)
07:00:56.994757 199.173.224.20.domain > dns1.domain: 13471 (35)
07:00:56.995297 dns1.domain > 199.173.224.20.domain: 53859 1/2/1 (116) (DF)
07:00:56.995963 dns1.domain > 199.173.224.20.domain: 13471 1/2/1 (116) (DF)
07:00:56.996274 199.173.224.20.domain > dns1.domain: 48364 (35)
07:00:56.996519 199.173.224.20.domain > dns1.domain: 30761 (35)
07:00:56.997223 dns1.domain > 199.173.224.20.domain: 48364 1/2/1 (116) (DF)
07:00:56.997876 dns1.domain > 199.173.224.20.domain: 30761 1/2/1 (116) (DF)
07:00:57.009740 199.173.224.20.domain > dns1.domain: 14916 (35)
07:00:57.010448 199.173.224.20.domain > dns1.domain: 18151 (35)
07:00:57.010549 dns1.domain > 199.173.224.20.domain: 14916 0/2/1 (100) (DF)
07:00:57.011195 dns1.domain > 199.173.224.20.domain: 18151 0/2/1 (100) (DF)

The other IP's that we are getting this kind of traffic are
199.173.224.2 and 199.173.225.21.

I did a portscan on these IP's using nmap and the only ports open on
these boxes are SMTP and AUTH. Also the output says that the boxes
have been up from 1985!!!

This traffic is killing our servers. I am planning on blocking these
IP's from our routers, but wanted to hear other opinions from this
group. Any help would be appreciated. Thank you.


-- 
Best regards,
 Vinay                          mailto: kudithipudiat_private

This Letter was written at 7:03:49 AM [CST] on Thursday, November 29, 2001


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Fredrik Ostergren: "Re: any1 stumbled across eCkit ?"
Previous message: Aron_Croftat_private: "Re: New Worm similar to BadTrans.B? [Virus Checked]"
Next in thread: NESTING, DAVID M (SBCSI): "RE: Strange Traffic.."
Reply: NESTING, DAVID M (SBCSI): "RE: Strange Traffic.."
Reply: John Sage: "Re: Strange Traffic.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 08:40:51 PST