Re: Strange Traffic..

From: John Sage (jsageat_private)
Date: Thu Nov 29 2001 - 21:26:50 PST

Next message: j.e.r.k. ROCKS: "solaris nscd cores"

Previous message: Geoffrey King: "Strange Web requests."
In reply to: Vinay Kudithipudi: "Strange Traffic.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vinay:

I think this looks like nameserver-to-nameserver dns traffic, see 
comments in line..

Vinay Kudithipudi wrote:

> Hello Guys,
>       Our DNS servers have been getting a lot of strange traffic from
> a couple of IP addresses allocated to the Social Security
> Administration.
> 
> Here is a tcpdump , I did one one of our DNS servers.
> 
> 07:00:35.988875 199.173.224.20.domain > dns1.domain: 45115 (35)


199.x.x.x:53 sends 35 bytes to dns1:53 with a query number of 45115

> 07:00:35.989564 dns1.domain > 199.173.224.20.domain: 45115 0/2/1 (100) (DF)


dns1 answers query number 45115 with 100 bytes, zero answer records, 2 
authoritative records, 1 additional records...


So, what ever it is they think they want, you apparently don't have the 
specific IP address, but you may have the relevant nameserver, and 
you've got some additional stuff, too...


Now, if it's the *volume* of traffic you're talking about, that's a 
different kind of issue.

I'd try to get in touch with llsmithat_private and ask him "wassup?"


UUNET Technologies, Inc. (NETBLK-UUCBLK170-173)NETBLK-UUCBLK170-173
      199.170.0.0 - 199.173.255.255

Social Security Administration (NETBLK-UU-199-173-224-D2)

UU-199-173-224-D2
      199.173.224.0 - 199.173.231.255


Social Security Administration (NETBLK-UU-199-173-224-D2)
    6401 Security Blvd.
    Baltimore, MD 21235
    US    Netname: UU-199-173-224-D2
    Netblock: 199.173.224.0 - 199.173.231.255

Coordinator:
       Smith, Lionel Lloyd  (LS112-ARIN)  llsmithat_private
       (410) 965-8963 (FAX) (410) 965-4110

Record last updated on 08-Oct-1998.
Database last updated on  29-Nov-2001 19:56:47 EDT.


(I don't think it's necessarily unusual that the data for this specific 
record hasn't changed since 1998..)

- John


<snip>

> 
> The other IP's that we are getting this kind of traffic are
> 199.173.224.2 and 199.173.225.21.
> 
> I did a portscan on these IP's using nmap and the only ports open on
> these boxes are SMTP and AUTH. Also the output says that the boxes
> have been up from 1985!!!
> 
> This traffic is killing our servers. I am planning on blocking these
> IP's from our routers, but wanted to hear other opinions from this
> group. Any help would be appreciated. Thank you.
> 
> 
> 




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: j.e.r.k. ROCKS: "solaris nscd cores"
Previous message: Geoffrey King: "Strange Web requests."
In reply to: Vinay Kudithipudi: "Strange Traffic.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 12:15:06 PST