Security Incidents mailing list archives
Very large scale named Iquery scan?
From: Tom Whipp <twhipp () COMMERCENTI COM>
Date: Wed, 15 Nov 2000 15:30:39 -0000
just thought I'd share the following, a number of hosts on my network have received Iqueries from a single source - these queries are very widely spaced (about one every 4 days) and the target hosts are being probed sequentially. The precise periodicity and sequential nature of these probes seems to indicate that this is part of an ongoing scan which has been running for at least 1 month (and by the IP numbers I'd guess closer to 2 months). I don't think I have a complete trace as we have only just moved our IDS onto a dedicated host and so the gaps in my early detects can probably be accounted to dropped packets on an overloaded host - certainly the increments in IP addresses indicate that the gaps in the early detects is due to missed detects not a change in scan rate. The source IP is 211.50.136.189 with the detects by a Snort sensor matching the [IDS277 - NAMED Iquery Probe] rule. sample packet payloads are: 2000-11-15 05:01:12 000 : 4E 2F 09 80 00 00 00 01 00 00 00 00 00 00 01 00 N/.............. 020 : 01 00 00 7A 69 00 04 04 03 02 01 ...zi...... 2000-11-11 12:55:05 000 : BE 3E 09 80 00 00 00 01 00 00 00 00 00 00 01 00 .>.............. 020 : 01 00 00 7A 69 00 04 04 03 02 01 ...zi...... This appears to be an IP belonging to a Korean ISP but as the definiative whois server is in Korean I haven't followed this up much. The scan sequence is: 2000-11-15 05:01:12 target xxx.xxx.xxx.17 2000-11-11 12:55:05 target xxx.xxx.xxx.16 2000-11-07 21:24:11 target xxx.xxx.xxx.15 2000-10-31 10:47:04 target xxx.xxx.xxx.13 2000-10-27 13:55:31 target xxx.xxx.xxx.12 2000-10-23 18:02:53 target xxx.xxx.xxx.11 2000-10-19 22:35:17 target xxx.xxx.xxx.10 (real DNS server found, followed immediately with a DNS version query) 2000-10-04 16:37:40 target xxx.xxx.xxx.6 2000-09-30 23:35:18 target xxx.xxx.xxx.5 just curious if anyone else is seeing this guy. Tom
Current thread:
- rash of pings. Hendrie, David J, GOVMK (Nov 14)
- <Possible follow-ups>
- Re: rash of pings. Lastname, Firstname (Nov 15)
- Very large scale named Iquery scan? Tom Whipp (Nov 16)