RE: Re[2]: Strange Traffic..

From: NESTING, DAVID M (SBCSI) (dn3723at_private)
Date: Fri Nov 30 2001 - 08:56:33 PST

  • Next message: Emre Yildirim: "Re: Code Red -- AGAIN?!?"

    I didn't say the *incident* was normal, I just said the nature of the
    *traffic* looked normal.  Yah I would say it isn't very normal for an
    external host to be banging away on a name server doing DNS lookups every
    few seconds for 4 days.  :)
    
    But this is more likely to be:
    
    a) a run-away process on your end making traffic to their network (and
    somehow triggering reverse lookups); or
    b) a run-away process on their end; or
    c) host(s) on their end configured with your name servers instead of their
    own (relocated equipment?)
    
    Without knowing the nature of the lookups and examining the host(s) making
    the requests and/or the host(s) on your side that they're looking up, I
    don't know that we'll be able to easily figure out the cause of this.
    
    Or I guess it could be some kind of weird DoS attack.  If you can't nail
    down a possible cause on your end you might try contacting them.
    
    David
    
    -----Original Message-----
    From: Vinay Kudithipudi [mailto:kudithipudiat_private]
    Sent: Thursday, November 29, 2001 11:07 PM
    To: NESTING, DAVID M (SBCSI)
    Cc: incidentsat_private
    Subject: Re[2]: Strange Traffic..
    
    
    Hello DAVID,
        Thanks for the detailed analysis/explanation. You guys are awesome
    on this mailing list. I don't think it is normal traffic since we have
    been hit by this traffic for 4 days already [And is continuing a we
    speak]  .  And  also  if  it  was a normal DNS lookup, why would we be
    getting  so  many requests. Even though we are a pretty big company, I
    don't see us generating so many lookups.
    
       As for your request to to send some packet dumps. I would be more
    than happy to , if I knew how :). Any way you can tell me how to do
    some packet dumps? Thanks everyone for the replies.
    
    -- 
    Best regards,
     Vinay                            mailto:kudithipudiat_private
    
    Thursday, November 29, 2001, 11:06:55 AM, you wrote:
    
    NDMS> What do you see that's unusual about this traffic?  It looks like
    maybe this
    NDMS> system is just doing a large number of DNS lookups via your name
    server?
    NDMS> The 0/2/1 implies a non-authoritative response to one of their
    requests.
    
    NDMS> Could be that someone on their end is doing a mass reverse-lookup
    against a
    NDMS> block of your IP addresses, or a vulnerability scan that includes
    looking up
    NDMS> the hostname of the systems it hits?  Maybe the increased load on your
    NDMS> systems is due to these effects instead of the DNS lookups.  I
    wouldn't
    NDMS> expect the frequency/number of requests below to cause significant
    problems
    NDMS> for your servers.
    
    NDMS> This could be the effect of 3rd-party SMTP relaying also.  If someone
    on
    NDMS> your network (or another broken mail server on your network) is
    relaying
    NDMS> massive amounts of e-mail though their mail servers, it's possible
    their
    NDMS> systems are trying to do reverse DNS lookups on the originating IP
    NDMS> address(es).  One might expect that this information would be cached,
    but
    NDMS> it's still possible.
    
    NDMS> It could be anything, really, but I don't really see anything unusual
    about
    NDMS> the traffic you pasted.
    
    NDMS> How long has it been running and has it stopped?  A dump of the
    packets
    NDMS> you're seeing might be interesting, and would at least let us see what
    these
    NDMS> requests are like.  Some newer versions of 'tcpdump' decode DNS
    requests and
    NDMS> replies.
    
    NDMS> David
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 10:20:28 PST