Security Incidents mailing list archives
Re: Weird DNS scans
From: John Hall <j.hall () f5 com>
Date: Mon, 08 Oct 2001 13:34:44 -0700
We've identified several of the sources of these packets as either BIG-IP's or 3-DNS's. None of them actually have port 6667 open, so that looks like an artifact of some device between the host your ran nmap upon and the destination hosts. Two of them are 3-DNS's operated by realmedia.com (3dns.east.realmedia.com and 3dns.west.realmedia.com) and several of the others are probably BIG-IP's operated by them as well. It looks like they've modified the 3-DNS Round Trip Time probe settings to do five probes at a time, which some may consider excessive. I've forwarded this information to our Support group to see if we can help them configure their 3-DNS's to be a little less noisy. If you find these probes obnoxious, you can contact them and ask them to add you to their 3-DNS do-not-probe list. One thing you should understand is that these probes are prompted by a DNS request from your site and result in you getting better service from their sites. Once you are on the do-not-probe list, you will most likely get poorer service from them. JMH Seth Milder wrote:
BTW, I could not telnet to port 6667 FWIW. Here is some of it: Oct 4 19:25:41 physics kernel: Packet log: input DENY eth0 PROTO=17 61.134.9.133:26983 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=48 (#47) Oct 4 19:25:41 physics kernel: Packet log: input DENY eth0 PROTO=17 61.134.9.133:26983 x.x.x.x:53 L=72 S=0x00 I=3 F=0x0000 T=48 (#47)
...
Oct 4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=1 F=0x0000 T=47 (#47) Oct 4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=47 (#47) Oct 4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=3 F=0x0000 T=47 (#47) Oct 4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=4 F=0x0000 T=47 (#47) Oct 4 19:25:42 physics kernel: Packet log: input DENY eth0 PROTO=17 61.180.7.130:30022 x.x.x.x:53 L=72 S=0x00 I=5 F=0x0000 T=47 (#47) Oct 4 19:25:43 physics kernel: Packet log: input DENY eth0 PROTO=17 61.163.241.2:36633 x.x.x.x:53 L=72 S=0x00 I=1 F=0x0000 T=50 (#47) Oct 4 19:25:43 physics kernel: Packet log: input DENY eth0 PROTO=17 61.163.241.2:36633 x.x.x.x:53 L=72 S=0x00 I=2 F=0x0000 T=50 (#47)
...
-- Seth Milder Deptartment of Physics and Astronomy MS 3f3 George Mason University Fairfax, VA
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Weird DNS scans Seth Milder (Oct 05)
- Re: Weird DNS scans Ryan Russell (Oct 05)
- <Possible follow-ups>
- Re: Weird DNS scans Richard Smith (Oct 05)
- Re: Weird DNS scans John Hall (Oct 06)
- Re: Weird DNS scans Seth Milder (Oct 06)
- Re: Weird DNS scans John Hall (Oct 08)
- Re: Weird DNS scans Seth Milder (Oct 09)