Security Incidents mailing list archives
Re: [inbox] RE: Bogus DNS traffic
From: John Sage <jsage () finchhaven com>
Date: Thu, 30 Oct 2003 09:24:14 -0800
David: On Fri, Oct 24, 2003 at 08:35:20AM -0700, David Gillett wrote:
Just to clarify:
/* snip */
And to reiterate: Several people have suggested I check http://people.ists.dartmouth.edu/~gbakos/bindsweep/ I have, and it appears to describe exactly what I'm seeing. Thank you.
Do you have any full packet captures? I've just been looking at some interesting UDP 53:53 traffic that seems to contain sets of IP address:port 53 pairs, each terminated by hex 0x00 viz: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/29-07:22:27.796597 10.0.98.93:53 -> 67.119.168.10:53 UDP TTL:127 TOS:0x0 ID:8647 IpLen:20 DgmLen:95 Len: 75 05 43 77 A8 0A 35 00 51 48 11 94 35 00 18 46 5F .Cw..5.QH..5..F_ CB 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .5.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [jsage@sparky /storage/virii] $ 2 hd 43 77 A8 0A 35 67 119 168 10 53 67.119.168.10:53 [jsage@sparky /storage/virii] $ host 67.119.168.10 10.168.119.67.in-addr.arpa domain name pointer adsl-67-119-168-10.dsl.frsn01.pacbell.net. [jsage@sparky /storage/virii] $ 2 hd 51 48 11 94 35 81 72 17 148 53 81.72.17.148:53 [jsage@sparky /storage/virii] $ host 81.72.17.148 148.17.72.81.in-addr.arpa domain name pointer host148-17.pool8172.interbusiness.it. [jsage@sparky /storage/virii] $ 2 hd 18 46 5F CB 35 24 70 95 203 53 24.70.95.203:53 Request: 24.70.95.203 connected to whois.arin.net [192.149.252.43:43] ... OrgName: Shaw Communications Inc. OrgID: SHAWC Address: Suite 800 Address: 630 - 3rd Ave. SW City: Calgary StateProv: AB PostalCode: T2P-4L4 Country: CA - John -- "Most people don't type their own logfiles; but, what do I care?" - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- RE: [inbox] RE: Bogus DNS traffic David Gillett (Oct 25)
- Re: [inbox] RE: Bogus DNS traffic John Sage (Oct 30)
- RE: [inbox] RE: Bogus DNS traffic David Gillett (Oct 30)
- Re: [inbox] RE: Bogus DNS traffic John Sage (Oct 30)