Howdy, Our internal dns server seems to be a target of sorts. Below is a snort capture that depicts frag traffic coming from both our external dns servers at just about the same exact time, to a single internal dns server.... The 1st thing to note is that there is absolutely no reason for traffic to be fragged here. The second thing is that both the DF and MF bits are set. [**] [1:1322:4] BAD TRAFFIC bad frag bits [**] [Classification: Misc activity] [Priority: 3] 04/12-09:51:25.017423 external.xxx.xxx.3 -> internal.xxx.xxx.105 UDP TTL:255 TOS:0x0 ID:6253 IpLen:20 DgmLen:1500 DF MF Frag Offset: 0x0 Frag Size: 0x5A6 [**] [**] [1:1322:4] BAD TRAFFIC bad frag bits [**] [Classification: Misc activity] [Priority: 3] 04/12-09:51:31.461959 external.xxx.xxx.3 -> internal.xxx.xxx.105 UDP TTL:255 TOS:0x0 ID:6259 IpLen:20 DgmLen:1500 DF MF Frag Offset: 0x0 Frag Size: 0x5A6 [**] [1:1322:4] BAD TRAFFIC bad frag bits [**] [Classification: Misc activity] [Priority: 3] 04/12-09:51:26.458693 external.xxx.xxx.25 -> internal.xxx.xxx.105 UDP TTL:255 TOS:0x0 ID:12851 IpLen:20 DgmLen:1500 DF MF Frag Offset: 0x0 Frag Size: 0x5A6 The payload for all 3 packets sent are exactly the same: .5.5..^.X......>.....116.75.185.212.in-addr.arpa................ ..www.sfwelt.net..............mail.sundr.de..............mail.df lash.`.............mail.=.............mail.sqreal.com........... ...mail.suzana.info..............mail.anagemo.`.............mail .anagemo...............mail.anagemo.D.............mail.m3-tele.. .............mail.sat-fun.`.............mail.d1-punkt.`......... ....mail.ecentrum.`.............mail.men-sana.`.............mail .men-sana...............mail.men-sana.D.............mail.riphous e...............mail.d1-mobile.`.............mail.e-zentrum.D... ..........mail.insoftpro.`.............mail.insoftpro........... ....mail.insoftpro.D.............mail.insoftpro...............ma il.m3telecom.`.............mail.mexicaner.D.............mail.flu gzettel.`.............mail.flugzettel...............mail.flugzet tel.D.............mail.luftsprung...............mail.m3-telecom. ..............mail.warez-clan.`.............mail.wurfzettel..... ..........mail.wurfzettel.D.............mail.dz-exklusiv.`...... .......mail.lern-zentrum...............mail.m3solarworld.`...... .......mail.m3solarworld...............mail.modelservice.D...... .......mail.stojadinovic...............mail.auktionsplatz....... ........mail.davesribhouse...............mail.davesriphouse..... ..........mail.fashionagancy.D.............mail.trading-point... ............mail.trading-point...............mail.tuning-center. D.............mail.wochenwerbung.`.... And a minute later the internal dns server sends back whats expected, an icmp frag reassembly exceeded. [**] ICMP Fragment Reassembly Time Exceeded [**] 04/12-09:52:25.007563 internal.xxx.xxx.105 -> external.xxx.xxx.3 ICMP TTL:254 TOS:0x0 ID:52650 IpLen:20 DgmLen:112 DF Type:11 Code:1 TTL EXCEEDED E....m`....4.......i.5.5..^.X......>.....116.75.185.212.in-addr. arpa................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP Fragment Reassembly Time Exceeded [**] 04/12-09:52:55.006459 internal.xxx.xxx.105 -> external.xxx.xxx.25 ICMP TTL:254 TOS:0x0 ID:35841 IpLen:20 DgmLen:112 DF Type:11 Code:1 TTL EXCEEDED E...23`....W.......i.5.5..j.mU.....>.....116.75.185.212.in-addr. arpa................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP Fragment Reassembly Time Exceeded [**] 04/12-09:52:55.006497 internal.xxx.xxx.105 -> external.xxx.xxx.3 ICMP TTL:254 TOS:0x0 ID:52666 IpLen:20 DgmLen:112 DF Type:11 Code:1 TTL EXCEEDED E....s`............i.5.5.....7.....>.....116.75.185.212.in-addr. arpa................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ We use a Pix520 between the external and internal DNS hosts, and sysopt security fraguard is enabled. Obviously it got past the pix520. Not to mention 1/2 of those mail addresses in the payload appear to be of a german twist, and the 116.75.185.212.in-addr resolves at ripe as inetnum: 212.185.75.112 - 212.185.75.119 netname: TECHNOTRADE-GMBH-NET descr: Technotrade GmbH descr: D-90443 Nuernberg descr: Germany country: DE Has anyone seen anything like this before or have an idea what happened? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 11:53:39 PDT