Security Incidents mailing list archives

Re: Weird DNS scans

From: John Hall <j.hall () f5 com>
Date: Fri, 05 Oct 2001 15:51:46 -0700



Richard Smith wrote:

Can you post a sanitized dump of the scan?


Yes, please.  We'd be very interested.

Are the source ports incrementing by one and scanning port 53?
This is a common trait of BigIP it gathers RTT and
other stats so that it can properly route you to the
least loaded server via local load-balancing.


The BIG-IP, when used in conjunction with an F5 3-DNS global load
balancer, will collect RTT (round trip time) information and some
other metrics which are returned to the 3-DNS so it can do *global*
load balancing.  Once the hostname has been resolved to a virtual
server at an appropriate data-center and a connection is opened,
then the BIG-IP *locally* load balances the connection.

Current (up to a year old) software should be using RTT measurements
that are much less detectable (or at least ring fewer alarms).  One
indicator that the scan is an RTT measurement is that the packets
will come in groups of three with the ID field of the packet set
to 1, then 2, then 3.

The only concern I might have is the fact that IRC is
reported as listening on port 6667.


I'd be VERY concerned.  No BIG-IP should have that port open
by default.  It is possible someone has configured their BIG-IP
to pass traffic on that port in to another host, or has created
a virtual server on that port for some purpose.

Generally, a BIG-IP or 3-DNS that was doing RTT measurements would
also show that something was listening on port 4353, so I'd
conclude these are not BIG-IP's (and without port 53, definitely
not 3-DNS's).  It is possible the port 6667 indication is coming
from something on Seth's network (such as a firewall blocking port
6667) rather than from the remote host?

It could be a compromised host. BigIP uses a modified version of
FreeBSD.


BIG-IP uses a custom version of BSDI.

R/

Richard Smith


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Weird DNS scans Seth Milder (Oct 05)
- Re: Weird DNS scans Ryan Russell (Oct 05)
- <Possible follow-ups>
- Re: Weird DNS scans Richard Smith (Oct 05)
  - Re: Weird DNS scans John Hall (Oct 06)
  - Re: Weird DNS scans Seth Milder (Oct 06)
    - Re: Weird DNS scans John Hall (Oct 08)
    - Re: Weird DNS scans Seth Milder (Oct 09)