Strange Traffic..

From: Vinay Kudithipudi (kudithipudiat_private)
Date: Thu Nov 29 2001 - 05:11:51 PST

  • Next message: Fredrik Ostergren: "Re: any1 stumbled across eCkit ?"

    Hello Guys,
          Our DNS servers have been getting a lot of strange traffic from
    a couple of IP addresses allocated to the Social Security
    Administration.
    
    Here is a tcpdump , I did one one of our DNS servers.
    
    07:00:35.988875 199.173.224.20.domain > dns1.domain: 45115 (35)
    07:00:35.989564 dns1.domain > 199.173.224.20.domain: 45115 0/2/1 (100) (DF)
    07:00:35.990687 199.173.224.20.domain > dns1.domain: 57781 (35)
    07:00:35.991161 199.173.224.20.domain > dns1.domain: 24090 (35)
    07:00:35.991449 dns1.domain > 199.173.224.20.domain: 57781 0/2/1 (100) (DF)
    07:00:35.992092 dns1.domain > 199.173.224.20.domain: 24090 0/2/1 (100) (DF)
    07:00:35.992483 199.173.224.20.domain > dns1.domain: 3674 (35)
    07:00:35.993164 dns1.domain > 199.173.224.20.domain: 3674 0/2/1 (100) (DF)
    07:00:35.995312 199.173.224.20.domain > dns1.domain: 59269 (35)
    07:00:35.996013 dns1.domain > 199.173.224.20.domain: 59269 0/2/1 (100) (DF)
    07:00:35.996948 199.173.224.20.domain > dns1.domain: 29342 (35)
    07:00:35.997225 199.173.224.20.domain > dns1.domain: 35178 (35)
    07:00:35.997587 199.173.224.20.domain > dns1.domain: 27068 (35)
    07:00:35.997783 dns1.domain > 199.173.224.20.domain: 29342 0/2/1 (100) (DF)
    07:00:35.998425 dns1.domain > 199.173.224.20.domain: 35178 0/2/1 (100) (DF)
    07:00:35.999069 dns1.domain > 199.173.224.20.domain: 27068 0/2/1 (100) (DF)
    07:00:36.006943 199.173.224.20.domain > dns1.domain: 32466 (35)
    07:00:36.023249 dns1.domain > 199.173.224.20.domain: 32466 0/2/1 (100) (DF)
    07:00:36.989212 199.173.224.20.domain > dns1.domain: 30761 (35)
    07:00:36.989909 dns1.domain > 199.173.224.20.domain: 30761 0/2/1 (100) (DF)
    07:00:36.990433 199.173.224.20.domain > dns1.domain: 48364 (35)
    07:00:36.991115 dns1.domain > 199.173.224.20.domain: 48364 0/2/1 (100) (DF)
    07:00:36.993719 199.173.224.20.domain > dns1.domain: 44078 (35)
    07:00:36.994034 199.173.224.20.domain > dns1.domain: 27679 (35)
    07:00:36.994478 dns1.domain > 199.173.224.20.domain: 44078 0/2/1 (100) (DF)
    07:00:36.994849 199.173.224.20.domain > dns1.domain: 54989 (35)
    07:00:36.995211 dns1.domain > 199.173.224.20.domain: 27679 0/2/1 (100) (DF)
    07:00:36.995857 dns1.domain > 199.173.224.20.domain: 54989 0/2/1 (100) (DF)
    07:00:37.000098 199.173.224.20.domain > dns1.domain: 36072 (35)
    07:00:37.000801 dns1.domain > 199.173.224.20.domain: 36072 0/2/1 (100) (DF)
    07:00:37.994128 199.173.224.20.domain > dns1.domain: 57044 (35)
    07:00:37.994913 dns1.domain > 199.173.224.20.domain: 57044 1/2/1 (116) (DF)
    07:00:56.991627 199.173.224.20.domain > dns1.domain: 29865 (35)
    07:00:56.992344 dns1.domain > 199.173.224.20.domain: 29865 1/2/1 (116) (DF)
    07:00:56.994509 199.173.224.20.domain > dns1.domain: 53859 (35)
    07:00:56.994757 199.173.224.20.domain > dns1.domain: 13471 (35)
    07:00:56.995297 dns1.domain > 199.173.224.20.domain: 53859 1/2/1 (116) (DF)
    07:00:56.995963 dns1.domain > 199.173.224.20.domain: 13471 1/2/1 (116) (DF)
    07:00:56.996274 199.173.224.20.domain > dns1.domain: 48364 (35)
    07:00:56.996519 199.173.224.20.domain > dns1.domain: 30761 (35)
    07:00:56.997223 dns1.domain > 199.173.224.20.domain: 48364 1/2/1 (116) (DF)
    07:00:56.997876 dns1.domain > 199.173.224.20.domain: 30761 1/2/1 (116) (DF)
    07:00:57.009740 199.173.224.20.domain > dns1.domain: 14916 (35)
    07:00:57.010448 199.173.224.20.domain > dns1.domain: 18151 (35)
    07:00:57.010549 dns1.domain > 199.173.224.20.domain: 14916 0/2/1 (100) (DF)
    07:00:57.011195 dns1.domain > 199.173.224.20.domain: 18151 0/2/1 (100) (DF)
    
    The other IP's that we are getting this kind of traffic are
    199.173.224.2 and 199.173.225.21.
    
    I did a portscan on these IP's using nmap and the only ports open on
    these boxes are SMTP and AUTH. Also the output says that the boxes
    have been up from 1985!!!
    
    This traffic is killing our servers. I am planning on blocking these
    IP's from our routers, but wanted to hear other opinions from this
    group. Any help would be appreciated. Thank you.
    
    
    -- 
    Best regards,
     Vinay                          mailto: kudithipudiat_private
    
    This Letter was written at 7:03:49 AM [CST] on Thursday, November 29, 2001
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 08:40:51 PST