Security Incidents mailing list archives
Re: DNS Floods to personal firewalls
From: yves.soun () certa scssi gouv fr
Date: Thu, 17 May 2001 11:04:56 +0200
This traffic appears to be the result of an RTT measurement which involve mirror-image servers. According to Mirror-image, a load balancer (Cisco's Distributed Director) is used.
More on DRP-RTT metric: http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm
I see all the nodes quoted in following list except 165.121.70.75 and 212.78.164.193.
I think ACK flag and port 53 are used to bypass router's filters. Yves Soun. --------------- CERTA (French Governmental CSIRT) --------------- Phone: (+33) 1 41 46 25 23 Fax: (+33) 1 41 46 37 01 E-mail: CERTA-svp () certa scssi gouv fr -----------------------------------------------------------------
On 2001-05-16 11:02:29 +0200, Thomas Roessler wrote:The same characteristic also applies to the logs at http://members.iinet.net.au/~paulhng/lrp/kernlog.txt which David posted, and which are 10 days old. (!)Asking google for a randomly selected common IP address from the list, I found <http://my.maceast.com/homevision-u-l/ace-l/linux-router-l/%2330765452>, where Nicolas Riendeau reports a similar scan which happened on April 13, 2001.Taking his log file entries ("MrShield") into account, the table of attackers' IP addresses looks like this now:140.239.176.162 keith sobolev tifa mrshield 165.121.70.75 keith 194.205.125.26 keith sobolev tifa mrshield 194.213.64.150 keith sobolev tifa mrshield 202.139.133.129 keith sobolev tifa mrshield 203.194.166.182 keith sobolev tifa mrshield 203.208.128.70 keith sobolev tifa mrshield 207.55.138.206 keith sobolev tifa 208.184.162.71 keith sobolev tifa mrshield 209.249.97.40 keith sobolev tifa mrshield 212.23.225.98 keith sobolev tifa mrshield 212.78.160.237 keith tifa mrshield 212.78.164.193 sobolev 216.220.39.42 keith sobolev tifa mrshield 216.33.35.214 keith sobolev tifa mrshield 216.34.68.2 keith sobolev tifa mrshield 216.35.167.58 keith sobolev tifa 62.23.80.2 keith sobolev tifa mrshield 62.26.119.34 keith sobolev tifa mrshield 63.209.147.246 keith sobolev tifa mrshield 64.14.200.154 keith sobolev tifa 64.37.200.46 keith sobolev tifa mrshield 64.56.174.186 keith sobolev tifa mrshield 64.78.235.14 keith sobolev tifaMaybe what we are seeing here are mostly decoy addresses used by some tool with an extremely bad RNG?-- Thomas Roessler http://log.does-not-exist.org/
Current thread:
- RE: DNS Floods to personal firewalls Keith.Morgan (May 15)
- Re: DNS Floods to personal firewalls Bryan Andersen (May 15)
- Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
- Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
- Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
- Re: DNS Floods to personal firewalls yves . soun (May 17)
- Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
- <Possible follow-ups>
- RE: DNS Floods to personal firewalls Steve R (May 16)