RE: Malformed DNS or something odd (or just me)

["James C Slora Jr" <Jim.Slora () phra com>]

Steven Trewick wrote Wednesday, April 07, 2004 09:45

> Over the last week or so I have seen what looks (to my 
> untrained eye) like some kind of funky, malicious or 
> malformed DNS traffic turning up at my network borders.

I am familiar with this traffic, but don't know what specifically causes it.
I've been receiving it for several months on one address, and have had
discussions with several other people who have observed very similar
traffic.

There are several different similar types of probes, but the traffic you
listed is pretty much an exact match for one set I have been watching
occasionally.

What typifies the probes I'm talking about is:
- Paired probes to UDP 53 and another UDP port.
- The second UDP port is identical for all probes to any target address.
- The second UDP port is different for every target address, so it is
probably calculated from the target IP address.

Here is what I think I've learned from the packets so far (not too much,
sorry).

- The payloads of the packets generally have IP addresses embedded in them.

- The UDP 53 traffic is not valid DNS traffic at all (the longer packets
cause all sorts of complaints in Ethereal to back this up.

- The sender usually sends identical payloads to UDP 53 and the other port
in pairs.

- The packets are not a response to anything on the target (no trojan is
soliciting them). The target address may have originally been added to the
target list because of some trojan, but continued target membership does not
depend on any outbound traffic. The traffic continues identically whether I
put a router or a PC at that address. The only thing that makes it stop is
changing IP addresses entirely.

- The data in the long packets is binary, and does not seem to add up to
anything coherent in the traffic I've watched. This leads me to believe it
is encrypted traffic. I have not put any work into figuring out how to
decrypt it.


> [**] ** Unknown UDP **  [**]
> 04/03-20:33:42.506542 62.253.119.103:41601 -> 192.168.0.88:5301
> UDP TTL:112 TOS:0x0 ID:53537 IpLen:20 DgmLen:40
> Len: 12
> 01 02 00 07 D1 86 3F C3 26 14 01 00              ......?.&...
>
> [**] ** Unknown UDP **  [**]
> 04/03-20:33:42.525759 62.253.119.103:41601 -> 192.168.0.88:53
> UDP TTL:112 TOS:0x0 ID:53793 IpLen:20 DgmLen:40
> Len: 12
> 01 02 00 07 D1 86 3F C3 26 14 01 00              ......?.&...


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------