Re: SYN/ACK to port 53

[Bill_Royds () pch gc ca]

This may be an example of DNS triangulation servers testing round trip time to
you server.
Several companies sell hardware/software that attempts to find the nearest web
mirror site to a client by sending thse packets from the mirrors to get
response.
times.
  Here is a response I got when I sent a complaint to one such server's owners.

Date: Wed, 2 May 2001 15:21:09 -0700
From: EAI <eai () exodus net>
To: "'Aris () securityfocus com'" <Aris () securityfocus com>
Subject: {EAI#062-681} Questions regarding 209.67.29.8

Hello,

The IP address you listed below is currently in use by USA Today.  Here is
the explanation for the traffic http://www.usatoday.com/dns.htm.


If you have any more questions, email Raul Miller (raul () usatoday com)


Thanks,





"DeCamp, Paul" <PDeCamp () MedManageSystems com> on 05/24/2001 14:33:28
                                                              
                                                              
                                                              
 To:      "INCIDENTS (E-mail)" <incidents () securityfocus com>  
                                                              
 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)                 
                                                              
                                                              
                                                              
 Subject: SYN/ACK to port 53                                  
                                                              




OK, this is beginning to drive me nuts.  Since about February of this year,
our firewall has been periodically hit with what can only be a probe,
attack, whatever to port 53.  Every time the scan exhibits the same behavior
and is from the same set of IP addresses.

A SYN/ACK packet is sent to TCP port 53.  No SYN was sent from our system.
The SYN & ACK sequence numbers appear to be random, but the ACK is always 1
less than the SYN.  Our system responds with a RST to the ACK.

I have searched books, the Internet (SANS, SecuityFocus, etc.), and while I
have found other reports of somewhat-simlar activity, I have to this day
found no coherent explanation as to what this is.  Based on the SYN/ACK
numbers, this is obviously some sort of malformed packet, but to what
purpose?  To spoof our system into thinking that it has sent a SYN when it
hasn't?  Is it a type of SYN flood?  To hijack a port on our system?  A scan
for some trojan?

Any assistance would be appreciated, and better yet, any advice as to where
on the Internet is a good location for looking up such obviously abnormal
activity and what possible explanations may be.  Thanks.

------------------
Paul DeCamp, IT Operations Lead
MedManage Systems Inc.
Voice:  (425) 354-2212
E-Mail: PDeCamp () medmanagesystems com