Security Incidents mailing list archives

RE: Strange Traffic..

From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Thu, 29 Nov 2001 11:06:55 -0600

What do you see that's unusual about this traffic?  It looks like maybe this
system is just doing a large number of DNS lookups via your name server?
The 0/2/1 implies a non-authoritative response to one of their requests.

Could be that someone on their end is doing a mass reverse-lookup against a
block of your IP addresses, or a vulnerability scan that includes looking up
the hostname of the systems it hits?  Maybe the increased load on your
systems is due to these effects instead of the DNS lookups.  I wouldn't
expect the frequency/number of requests below to cause significant problems
for your servers.

This could be the effect of 3rd-party SMTP relaying also.  If someone on
your network (or another broken mail server on your network) is relaying
massive amounts of e-mail though their mail servers, it's possible their
systems are trying to do reverse DNS lookups on the originating IP
address(es).  One might expect that this information would be cached, but
it's still possible.

It could be anything, really, but I don't really see anything unusual about
the traffic you pasted.

How long has it been running and has it stopped?  A dump of the packets
you're seeing might be interesting, and would at least let us see what these
requests are like.  Some newer versions of 'tcpdump' decode DNS requests and
replies.

David

-----Original Message-----
From: Vinay Kudithipudi [mailto:kudithipudi () mail ru]
Sent: Thursday, November 29, 2001 7:12 AM
To: incidents () securityfocus com
Cc: focus-linux () securityfocus com
Subject: Strange Traffic..


Hello Guys,
      Our DNS servers have been getting a lot of strange traffic from
a couple of IP addresses allocated to the Social Security
Administration.

Here is a tcpdump , I did one one of our DNS servers.

07:00:35.988875 199.173.224.20.domain > dns1.domain: 45115 (35)
07:00:35.989564 dns1.domain > 199.173.224.20.domain: 45115 0/2/1 (100) (DF)
...
07:00:56.992344 dns1.domain > 199.173.224.20.domain: 29865 1/2/1 (116) (DF)
07:00:56.994509 199.173.224.20.domain > dns1.domain: 53859 (35)
07:00:56.994757 199.173.224.20.domain > dns1.domain: 13471 (35)
07:00:56.995297 dns1.domain > 199.173.224.20.domain: 53859 1/2/1 (116) (DF)
07:00:56.995963 dns1.domain > 199.173.224.20.domain: 13471 1/2/1 (116) (DF)
...

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange Traffic.. Vinay Kudithipudi (Nov 29)
- Re: Strange Traffic.. John Sage (Nov 30)
- <Possible follow-ups>
- RE: Strange Traffic.. NESTING, DAVID M (SBCSI) (Nov 29)
  - Re[2]: Strange Traffic.. Vinay Kudithipudi (Nov 30)
- RE: Re[2]: Strange Traffic.. NESTING, DAVID M (SBCSI) (Nov 30)