Security Incidents mailing list archives
Re: constant flow of root queries
From: ilaiy <ilaiy.e () gmail com>
Date: Thu, 19 Jan 2006 10:29:35 -0600
Try to block the traffic from 207.210.68.202. It looks like some kind of webhosting company. Try send a mail to OrgAbuseHandle: ABUSE745-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-404-230-9150 OrgAbuseEmail: abuse () gnax net And let them know that one of there machines are giving out some random request. OrgName: Global Net Access, LLC OrgID: GNAL-2 Address: 55 Marietta St, NW Address: Suite 1720 City: Atlanta StateProv: GA PostalCode: 30303 Country: US ReferralServer: rwhois://rwhois.gnax.net:4321 NetRange: 207.210.64.0 - 207.210.127.255 CIDR: 207.210.64.0/18 NetName: GNAXNET NetHandle: NET-207-210-64-0-1 Parent: NET-207-0-0-0-0 NetType: Direct Allocation NameServer: DNS1.GNAX.NET NameServer: DNS2.GNAX.NET Comment: RegDate: 2005-04-12 Updated: 2006-01-09 OrgAbuseHandle: ABUSE745-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-404-230-9150 OrgAbuseEmail: abuse () gnax net OrgTechHandle: ENGIN7-ARIN OrgTechName: Engineering OrgTechPhone: +1-404-230-9150 OrgTechEmail: engineering () gnax net You could also redirect the traffic to some machine if you want to perform further analysis . ./thanks ilaiy On 1/18/06, Brian Collins <listbc () newnanutilities org> wrote:
Good day folks. This morning an admin asked us to check on a large amount of traffic targeting several DNS servers in our network (both our own DNS servers and customer co-located DNS servers). In looking at the traffic I see that the source is making several queries a second for DNS root. I have included a small sample from tcpdump below. Not sure what the motive is here. The TTLs are all 235. The random source ports makes me think possibly spoofed traffic. I can put packet dumps up on a website in libpcap format if anyone is interested. They are still going on as I type this. Thanks for any insight you can lend. 08:44:31.681706 IP 207.210.68.202.18257 > 216.130.152.71.53: 7127+ [1au] ANY ANY? . (28) 08:44:31.935719 IP 207.210.68.202.17460 > 216.130.152.71.53: 16133+ [1au] ANY ANY? . (28) 08:44:32.191226 IP 207.210.68.202.11958 > 216.130.152.71.53: 24095+ [1au] ANY ANY? . (28) 08:44:32.453721 IP 207.210.68.202.30962 > 216.130.152.71.53: 28728+ [1au] ANY ANY? . (28) 08:44:32.965355 IP 207.210.68.202.30683 > 216.130.152.71.53: 12271+ [1au] ANY ANY? . (28) 08:44:33.468862 IP 207.210.68.202.9966 > 216.130.152.71.53: 28170+ [1au] ANY ANY? . (28) 08:44:33.720408 IP 207.210.68.202.9920 > 216.130.152.71.53: 28160+ [1au] ANY ANY? . (28) 08:44:33.976693 IP 207.210.68.202.22511 > 216.130.152.71.53: 9346+ [1au] ANY ANY? . (28) 08:44:34.233664 IP 207.210.68.202.20625 > 216.130.152.71.53: 18580+ [1au] ANY ANY? . (28) 08:44:34.495015 IP 207.210.68.202.7023 > 216.130.152.71.53: 7968+ [1au] ANY ANY? . (28) 08:44:34.742492 IP 207.210.68.202.6257 > 216.130.152.71.53: 11859+ [1au] ANY ANY? . (28) 08:44:35.001415 IP 207.210.68.202.25244 > 216.130.152.71.53: 5372+ [1au] ANY ANY? . (28) 08:44:35.257812 IP 207.210.68.202.17576 > 216.130.152.71.53: 14270+ [1au] ANY ANY? . (28) 08:44:35.778259 IP 207.210.68.202.3384 > 216.130.152.71.53: 1508+ [1au] ANY ANY? . (28) 08:44:36.034492 IP 207.210.68.202.13754 > 216.130.152.71.53: 23670+ [1au] ANY ANY? . (28) 08:44:36.290463 IP 207.210.68.202.11008 > 216.130.152.71.53: 8899+ [1au] ANY ANY? . (28) 08:44:36.805271 IP 207.210.68.202.18348 > 216.130.152.71.53: 19806+ [1au] ANY ANY? . (28) 08:44:37.061876 IP 207.210.68.202.19532 > 216.130.152.71.53: 31844+ [1au] ANY ANY? . (28)
Current thread:
- constant flow of root queries Brian Collins (Jan 18)
- Re: constant flow of root queries ilaiy (Jan 19)
- Re: constant flow of root queries Bojan Zdrnja (Jan 19)
- Re: constant flow of root queries Dude VanWinkle (Jan 20)
- Re: constant flow of root queries Kerry Thompson (Jan 23)