Security Incidents mailing list archives

Strange DNS/TCP activity

From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Wed, 26 Jan 2000 22:10:56 +0100


Our nameservers have been a subject of suspicious probes (?) aimed at TCP
port 53 recently. Here is a genuine tcpdump transcript of one of the
probes (line-wrapped for better readability):

19:50:23.087805 209.67.42.160.2900 > our.nameserver.domain:
  S 1514380992:1514381056(64) win 2048 (ttl 239, id 24887)
  (payload of 64 zeros)
19:50:23.087805 209.67.42.160.2901 > our.nameserver.domain:
  S 1535086518:1535086582(64) win 2048 (ttl 239, id 34386)
  (payload of 64 zeros)
19:50:23.087805 209.67.42.160.2902 > our.nameserver.domain:
  S 338360493:338360557(64) win 2048 (ttl 239, id 18215)
  (payload of 64 zeros)

[ 209.67.42.160 opens three connections, sending 64 zero bytes
  in the SYN datagram?! ]

19:50:23.087805 our.nameserver.domain > 209.67.42.160.2900:
  S 4257621082:4257621082(0) ack 1514380993 win 32736 <mss 536>
  (ttl 63, id 15013)
19:50:23.087805 our.nameserver.domain > 209.67.42.160.2901:
  S 386430030:386430030(0) ack 1535086519 win 32736 <mss 536>
  (ttl 63, id 15014)
19:50:23.087805 our.nameserver.domain > 209.67.42.160.2902:
  S 3536506566:3536506566(0) ack 338360494 win 32736 <mss 536>
  (ttl 63, id 15015)

[ the nameserver accepts these connections ]

19:50:23.327805 209.67.42.160.2900 > our.nameserver.domain:
  R 1514380993:1514380993(0) win 0 (ttl 48, id 1612)
19:50:23.327805 209.67.42.160.2901 > our.nameserver.domain:
  R 1535086519:1535086519(0) win 0 (ttl 48, id 1614)
19:50:23.327805 209.67.42.160.2902 > our.nameserver.domain:
  R 338360494:338360494(0) win 0 (ttl 48, id 1616)

[ 209.67.42.160 resets all connections ]

19:50:23.327805 209.67.42.160.2900 > our.nameserver.domain:
  R 1:1(0) ack 1 win 2048 (ttl 239, id 29835)
19:50:23.327805 209.67.42.160.2901 > our.nameserver.domain:
  R 1:1(0) ack 1 win 2048 (ttl 239, id 40424)
19:50:23.327805 209.67.42.160.2902 > our.nameserver.domain:
  R 1:1(0) ack 1 win 2048 (ttl 239, id 4625)

[ ...and it resets them again?! ]

The clients IP address is changing. Today, I caught 200.211.187.195,
209.67.42.183, 209.67.42.150, 209.67.42.160, and 200.211.187.194.

As far as I can tell, port numbers are always "round" numbers:
100x+0, 100x+1, and 100x+2. ISNs look random.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Current thread:

Re: BOGUS.IvCD File, (continued)
- - - Re: BOGUS.IvCD File Vanja Hrustic (Jan 27)
    - Re: PC Anywhere client seems to probe class C of connected networks Robert Graham (Jan 26)
    - Probes to tcp 2766 ('System V Listner') Russell Fulton (Jan 26)
    - Re: No Idea Paul L Schmehl (Jan 25)
    - Re: No Idea Robert Graham (Jan 25)
    - Possible Probe = Possible Malfunction Ron Gula (Jan 25)
    - Possible attemt at hacking? Geir A. Bjune (Jan 25)
    - Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
    - Re: ? Adam Boileau (Jan 25)
    - Korea (was RE: ?) Fernando Cardoso (Jan 26)
    - Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
    - Re: Strange DNS/TCP activity Asmodeus (Jan 27)
    - Re: Strange DNS/TCP activity Roy Pait (Jan 27)
    - port 768 Guido A.J. Stevens (Jan 27)
    - Re: port 768 Robert Graham (Jan 27)
    - Re: Strange DNS/TCP activity technot (Jan 27)
    - Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
    - Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
    - Re: Korea (again) Kim R. Rasmussen (Jan 26)
    - Re: Korea (again) zeek (Jan 27)
    - Re: Korea (again) Kim Roland Rasmussen (Jan 27)

(Thread continues...)