Security Incidents mailing list archives
Re: Unwanted DNS connection attempts
From: Aj Effin ReznoR <aj () REZNOR COM>
Date: Tue, 5 Sep 2000 20:42:03 -0700
Richard Bejtlich wrote:
Alex, These are most likely round trip time (RTT) latency tests from an F5 3DNS load balancer. I describe traffic like this in a paper at http://bejtlich.net called "Interpreting Network Traffic." This traffic is bothersome but not malicious. You can ignore it. I recognize the Exodus source IPs from last year, also. RichardThey are both UDP and TCP, so I also suspectzone transfer attempts.Here are the logs, times GMT+0300, ntp stratum 3synchronised:Sep 4 20:00:11 ns ipmon[254]: 20:00:10.664287ed0 @0:20 b 200.211.187.194,3400 -> 192.129.3.227,53 PR tcp len 20 26624 -S INSep 4 20:13:32 ns ipmon[254]: 20:13:32.402648ed0 @0:20 b 209.67.42.162,2200 -> 192.129.3.227,53 PR tcp len 20 26624 -S IN
Alex, I beg to differ on your last sentence. Richard's email addy was .ro, which matches with the destination IP of 192.129.3.227. The first IP listed above, 200.211.187.194, ARINs to a co. in San Paulo, Brazil. The second IP, 209.67.42.162, is indeed under Exodus, but "belongs" to a company in New York called "Starmedia". I wouldn't blame Exodus for this. Not entirely at least. From what I recall of glancing around in the 2 Exodus centers I've been in, I don't recall seeing any F5 hardware. Others in that block follow suit. -aj.
Current thread:
- Unwanted DNS connection attempts razor (Sep 05)
- <Possible follow-ups>
- Re: Unwanted DNS connection attempts Richard Bejtlich (Sep 05)
- Re: Unwanted DNS connection attempts Aj Effin ReznoR (Sep 05)
- Re: detecting "trinity v3 by self" DDoS agent Philippe Bourcier (Sep 06)
- Re: Unwanted DNS connection attempts Aj Effin ReznoR (Sep 06)
- Re: Unwanted DNS connection attempts Aj Effin ReznoR (Sep 05)
- Re: Unwanted DNS connection attempts Richard Bejtlich (Sep 06)