Security Incidents mailing list archives
RE: Malformed DNS or something odd (or just me)
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Fri, 9 Apr 2004 16:02:02 -0400
Steven Trewick wrote Wednesday, April 07, 2004 09:45
Over the last week or so I have seen what looks (to my untrained eye) like some kind of funky, malicious or malformed DNS traffic turning up at my network borders.
I am familiar with this traffic, but don't know what specifically causes it. I've been receiving it for several months on one address, and have had discussions with several other people who have observed very similar traffic. There are several different similar types of probes, but the traffic you listed is pretty much an exact match for one set I have been watching occasionally. What typifies the probes I'm talking about is: - Paired probes to UDP 53 and another UDP port. - The second UDP port is identical for all probes to any target address. - The second UDP port is different for every target address, so it is probably calculated from the target IP address. Here is what I think I've learned from the packets so far (not too much, sorry). - The payloads of the packets generally have IP addresses embedded in them. - The UDP 53 traffic is not valid DNS traffic at all (the longer packets cause all sorts of complaints in Ethereal to back this up. - The sender usually sends identical payloads to UDP 53 and the other port in pairs. - The packets are not a response to anything on the target (no trojan is soliciting them). The target address may have originally been added to the target list because of some trojan, but continued target membership does not depend on any outbound traffic. The traffic continues identically whether I put a router or a PC at that address. The only thing that makes it stop is changing IP addresses entirely. - The data in the long packets is binary, and does not seem to add up to anything coherent in the traffic I've watched. This leads me to believe it is encrypted traffic. I have not put any work into figuring out how to decrypt it.
[**] ** Unknown UDP ** [**] 04/03-20:33:42.506542 62.253.119.103:41601 -> 192.168.0.88:5301 UDP TTL:112 TOS:0x0 ID:53537 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&... [**] ** Unknown UDP ** [**] 04/03-20:33:42.525759 62.253.119.103:41601 -> 192.168.0.88:53 UDP TTL:112 TOS:0x0 ID:53793 IpLen:20 DgmLen:40 Len: 12 01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&...
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Malformed DNS or something odd (or just me) Steven Trewick (Apr 09)
- RE: Malformed DNS or something odd (or just me) James C Slora Jr (Apr 10)
- Heads up: Looks like MS04-011 exploit is being tried against www.domain James Riden (Apr 27)