RE: Strange Traffic..

From: NESTING, DAVID M (SBCSI) (dn3723at_private)
Date: Thu Nov 29 2001 - 09:06:55 PST

Next message: Ryan Sweat: "RE: any1 stumbled across eCkit ?"

Previous message: Fredrik Ostergren: "Re: any1 stumbled across eCkit ?"
Maybe in reply to: Vinay Kudithipudi: "Strange Traffic.."
Next in thread: Vinay Kudithipudi: "Re[2]: Strange Traffic.."
Next in thread: NESTING, DAVID M (SBCSI): "RE: Re[2]: Strange Traffic.."
Reply: Vinay Kudithipudi: "Re[2]: Strange Traffic.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What do you see that's unusual about this traffic?  It looks like maybe this
system is just doing a large number of DNS lookups via your name server?
The 0/2/1 implies a non-authoritative response to one of their requests.

Could be that someone on their end is doing a mass reverse-lookup against a
block of your IP addresses, or a vulnerability scan that includes looking up
the hostname of the systems it hits?  Maybe the increased load on your
systems is due to these effects instead of the DNS lookups.  I wouldn't
expect the frequency/number of requests below to cause significant problems
for your servers.

This could be the effect of 3rd-party SMTP relaying also.  If someone on
your network (or another broken mail server on your network) is relaying
massive amounts of e-mail though their mail servers, it's possible their
systems are trying to do reverse DNS lookups on the originating IP
address(es).  One might expect that this information would be cached, but
it's still possible.

It could be anything, really, but I don't really see anything unusual about
the traffic you pasted.

How long has it been running and has it stopped?  A dump of the packets
you're seeing might be interesting, and would at least let us see what these
requests are like.  Some newer versions of 'tcpdump' decode DNS requests and
replies.

David

-----Original Message-----
From: Vinay Kudithipudi [mailto:kudithipudiat_private]
Sent: Thursday, November 29, 2001 7:12 AM
To: incidentsat_private
Cc: focus-linuxat_private
Subject: Strange Traffic..


Hello Guys,
      Our DNS servers have been getting a lot of strange traffic from
a couple of IP addresses allocated to the Social Security
Administration.

Here is a tcpdump , I did one one of our DNS servers.

07:00:35.988875 199.173.224.20.domain > dns1.domain: 45115 (35)
07:00:35.989564 dns1.domain > 199.173.224.20.domain: 45115 0/2/1 (100) (DF)
...
07:00:56.992344 dns1.domain > 199.173.224.20.domain: 29865 1/2/1 (116) (DF)
07:00:56.994509 199.173.224.20.domain > dns1.domain: 53859 (35)
07:00:56.994757 199.173.224.20.domain > dns1.domain: 13471 (35)
07:00:56.995297 dns1.domain > 199.173.224.20.domain: 53859 1/2/1 (116) (DF)
07:00:56.995963 dns1.domain > 199.173.224.20.domain: 13471 1/2/1 (116) (DF)
...

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan Sweat: "RE: any1 stumbled across eCkit ?"
Previous message: Fredrik Ostergren: "Re: any1 stumbled across eCkit ?"
Maybe in reply to: Vinay Kudithipudi: "Strange Traffic.."
Next in thread: Vinay Kudithipudi: "Re[2]: Strange Traffic.."
Next in thread: NESTING, DAVID M (SBCSI): "RE: Re[2]: Strange Traffic.."
Reply: Vinay Kudithipudi: "Re[2]: Strange Traffic.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 09:35:10 PST