Re[2]: Strange Traffic..

From: Vinay Kudithipudi (kudithipudiat_private)
Date: Thu Nov 29 2001 - 21:06:37 PST

Next message: Grimes, Shawn (NIA/IRP): "RE: Code Red -- AGAIN?!?"

Previous message: j.e.r.k. ROCKS: "solaris nscd cores"
In reply to: NESTING, DAVID M (SBCSI): "RE: Strange Traffic.."
Next in thread: NESTING, DAVID M (SBCSI): "RE: Re[2]: Strange Traffic.."
Maybe reply: NESTING, DAVID M (SBCSI): "RE: Re[2]: Strange Traffic.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello DAVID,
    Thanks for the detailed analysis/explanation. You guys are awesome
on this mailing list. I don't think it is normal traffic since we have
been hit by this traffic for 4 days already [And is continuing a we
speak]  .  And  also  if  it  was a normal DNS lookup, why would we be
getting  so  many requests. Even though we are a pretty big company, I
don't see us generating so many lookups.

   As for your request to to send some packet dumps. I would be more
than happy to , if I knew how :). Any way you can tell me how to do
some packet dumps? Thanks everyone for the replies.

-- 
Best regards,
 Vinay                            mailto:kudithipudiat_private

Thursday, November 29, 2001, 11:06:55 AM, you wrote:

NDMS> What do you see that's unusual about this traffic?  It looks like maybe this
NDMS> system is just doing a large number of DNS lookups via your name server?
NDMS> The 0/2/1 implies a non-authoritative response to one of their requests.

NDMS> Could be that someone on their end is doing a mass reverse-lookup against a
NDMS> block of your IP addresses, or a vulnerability scan that includes looking up
NDMS> the hostname of the systems it hits?  Maybe the increased load on your
NDMS> systems is due to these effects instead of the DNS lookups.  I wouldn't
NDMS> expect the frequency/number of requests below to cause significant problems
NDMS> for your servers.

NDMS> This could be the effect of 3rd-party SMTP relaying also.  If someone on
NDMS> your network (or another broken mail server on your network) is relaying
NDMS> massive amounts of e-mail though their mail servers, it's possible their
NDMS> systems are trying to do reverse DNS lookups on the originating IP
NDMS> address(es).  One might expect that this information would be cached, but
NDMS> it's still possible.

NDMS> It could be anything, really, but I don't really see anything unusual about
NDMS> the traffic you pasted.

NDMS> How long has it been running and has it stopped?  A dump of the packets
NDMS> you're seeing might be interesting, and would at least let us see what these
NDMS> requests are like.  Some newer versions of 'tcpdump' decode DNS requests and
NDMS> replies.

NDMS> David



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Grimes, Shawn (NIA/IRP): "RE: Code Red -- AGAIN?!?"
Previous message: j.e.r.k. ROCKS: "solaris nscd cores"
In reply to: NESTING, DAVID M (SBCSI): "RE: Strange Traffic.."
Next in thread: NESTING, DAVID M (SBCSI): "RE: Re[2]: Strange Traffic.."
Maybe reply: NESTING, DAVID M (SBCSI): "RE: Re[2]: Strange Traffic.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 13:04:16 PST