Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

DNS traffic bursts at tcp port 53 (and 1024)

From: "Suhrstedt, Tom" <tsuhrstedt () sowilo com>
Date: Wed, 16 May 2001 09:55:19 -0400
I recently noticed significant bursts of tcp traffic to my firewall (always a hundred or so requests in a burst from 
roughly the same set of hosts) which are dropped because the firewall sees them as "unknown established TCP packets". I 
was able to get some relevant information from this mail list in an old thread from October 2000 ("TCP Connections to 
port 1024 - DDoS?"), and so am posting to this list to see if anyone can enlighten me or point me in the right 
direction. In the previous thread, there were a list of hosts supplied, and mine (shown below) are roughly the same:

140.239.176.162                   42.39.220-216.q9.net  
194.205.125.26                    62.26.119.34  
202.139.133.129                   63.209.147.246  
203.194.166.182                   64.14.200.154   
203.208.128.70                    64.37.200.46  
208.184.162.71.mirror-image.com   64.56.174.186  
212.23.225.98                     64.78.235.14               
216.33.35.214                     S12-0-0-MAD-IA27AR01.ams.nl.COLT.NET  
216.34.68.2                       host.2.80.23.62.rev.coltfrance.com  
216.34.68.2                       mirror-image.com                     
216.35.167.58                     mirrorimage-gw.dlls.tx.verio.net         

There was some discussion about whether this was a DDoS, but a later submission stated that this was used (at least in 
some cases) on port 1024 as an rtt mechanism and was normal behavior for the global load balancing implemented by 
mirror-image for their customers using the Cisco Distributed Director. What is different for me is that these packets 
are arriving on port 53 (rather than 1024). The TCP flags are always SYN/ACK. The DNS portion of the packet appears to 
be empty. 

I suppose that most of these addresses are intentionally not registered for reverse DNS resolution, though a meaningful 
name and contact might help people get a clue as to what is going on. When I look some of them up on Whois they are 
indeed worldwide, and some are reserved by mirror-image.

Any help would be appreciated regarding:
- any pointers to good information relating to this
- whether this is definitely load balancing activity 
- whether it should be expected on port 53 or 1024
- how many schemes/suppliers/implementations there are of this sort of thing

Some sample traces from snoop are below:

  1   0.00000 216.35.167.58 -> x.x.x.x ETHER Type=0800 (IP), size = 60 bytes
  1   0.00000 216.35.167.58 -> x.x.x.x IP  D=x.x.x.x S=216.35.167.58 LEN=44, ID=0
  1   0.00000 216.35.167.58 -> x.x.x.x TCP D=53 S=24567 Syn Ack=655589674 Seq=655589675 Len=0 Win=4128 Options=<mss 536>
  1   0.00000 216.35.167.58 -> x.x.x.x DNS C port=24567

DNS:  ----- DNS:   -----
DNS:
DNS:  ""
DNS:
________________________________
  2   0.00892 216.33.35.214 -> x.x.x.x ETHER Type=0800 (IP), size = 60 bytes
  2   0.00892 216.33.35.214 -> x.x.x.x IP  D=x.x.x.x S=216.33.35.214 LEN=44, ID=0
  2   0.00892 216.33.35.214 -> x.x.x.x TCP D=53 S=11645 Syn Ack=239568583 Seq=239568584 Len=0 Win=4128 Options=<mss 536>
  2   0.00892 216.33.35.214 -> x.x.x.x DNS C port=11645
________________________________
  3   0.00159 mirrorimage-gw.dlls.tx.verio.net -> x.x.x.x ETHER Type=0800 (IP), size = 60 bytes
  3   0.00159 mirrorimage-gw.dlls.tx.verio.net -> x.x.x.x IP  D=x.x.x.x S=207.55.138.206 LEN=44, ID=0
  3   0.00159 mirrorimage-gw.dlls.tx.verio.net -> x.x.x.x TCP D=53 S=54847 Syn Ack=542170205 Seq=542170206 Len=0 
Win=4128 Options=<mss 536>
  3   0.00159 mirrorimage-gw.dlls.tx.verio.net -> x.x.x.x DNS C port=54847

Many Thanks.
---
Tom Suhrstedt
Sowilo Networks
office: (443) 259-6910
tsuhrstedt () sowilo com
Previous By Date Next
Previous By Thread Next

Current thread: