I didn't say the *incident* was normal, I just said the nature of the *traffic* looked normal. Yah I would say it isn't very normal for an external host to be banging away on a name server doing DNS lookups every few seconds for 4 days. :) But this is more likely to be: a) a run-away process on your end making traffic to their network (and somehow triggering reverse lookups); or b) a run-away process on their end; or c) host(s) on their end configured with your name servers instead of their own (relocated equipment?) Without knowing the nature of the lookups and examining the host(s) making the requests and/or the host(s) on your side that they're looking up, I don't know that we'll be able to easily figure out the cause of this. Or I guess it could be some kind of weird DoS attack. If you can't nail down a possible cause on your end you might try contacting them. David -----Original Message----- From: Vinay Kudithipudi [mailto:kudithipudiat_private] Sent: Thursday, November 29, 2001 11:07 PM To: NESTING, DAVID M (SBCSI) Cc: incidentsat_private Subject: Re[2]: Strange Traffic.. Hello DAVID, Thanks for the detailed analysis/explanation. You guys are awesome on this mailing list. I don't think it is normal traffic since we have been hit by this traffic for 4 days already [And is continuing a we speak] . And also if it was a normal DNS lookup, why would we be getting so many requests. Even though we are a pretty big company, I don't see us generating so many lookups. As for your request to to send some packet dumps. I would be more than happy to , if I knew how :). Any way you can tell me how to do some packet dumps? Thanks everyone for the replies. -- Best regards, Vinay mailto:kudithipudiat_private Thursday, November 29, 2001, 11:06:55 AM, you wrote: NDMS> What do you see that's unusual about this traffic? It looks like maybe this NDMS> system is just doing a large number of DNS lookups via your name server? NDMS> The 0/2/1 implies a non-authoritative response to one of their requests. NDMS> Could be that someone on their end is doing a mass reverse-lookup against a NDMS> block of your IP addresses, or a vulnerability scan that includes looking up NDMS> the hostname of the systems it hits? Maybe the increased load on your NDMS> systems is due to these effects instead of the DNS lookups. I wouldn't NDMS> expect the frequency/number of requests below to cause significant problems NDMS> for your servers. NDMS> This could be the effect of 3rd-party SMTP relaying also. If someone on NDMS> your network (or another broken mail server on your network) is relaying NDMS> massive amounts of e-mail though their mail servers, it's possible their NDMS> systems are trying to do reverse DNS lookups on the originating IP NDMS> address(es). One might expect that this information would be cached, but NDMS> it's still possible. NDMS> It could be anything, really, but I don't really see anything unusual about NDMS> the traffic you pasted. NDMS> How long has it been running and has it stopped? A dump of the packets NDMS> you're seeing might be interesting, and would at least let us see what these NDMS> requests are like. Some newer versions of 'tcpdump' decode DNS requests and NDMS> replies. NDMS> David ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 10:20:28 PST