Security Incidents mailing list archives

Interesting DNS update traffic

From: "Sean Brown" <srbrown () appgeo com>
Date: Mon, 29 Mar 2004 16:56:17 -0500
Hi everyone,

While doing some troubleshooting today, I was reviewing today's log from
an OpenBSD 3.3 firewall and I came upon the following suspicious DNS
update traffic.

Time                                    Source
Destination           Protocol Info
2004-03-29 13:06:11.056733       20.87.190.227         209.113.190.211
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:12.468681       36.49.115.79          209.113.190.207
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:14.561772       31.136.221.227        209.113.190.210
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:15.871554       30.31.90.154          209.113.190.205
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:16.150394       54.198.211.46         209.113.190.195
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:17.775273       23.183.133.136        209.113.190.208
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:23.721351       51.241.219.97         209.113.190.194
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:24.647438       61.48.97.11           209.113.190.206
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:26.813833       47.74.126.220         209.113.190.215
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:28.235247       60.202.159.106        209.113.190.198
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:30.515665       31.199.106.90         209.113.190.201
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:35.323170       36.180.174.139        209.113.190.197
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:37.531606       18.19.115.205         209.113.190.199
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:41.338303       16.51.94.166          209.113.190.196
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:43.369206       26.160.38.131         209.113.190.216
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:47.752669       47.210.221.34         209.113.190.209
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:48.584972       20.185.14.226         209.113.190.203
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:49.485831       20.9.80.58            209.113.190.202
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.890184       31.9.122.6            209.113.190.200
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.892058       29.2.132.185          209.113.190.204
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.892536       27.11.65.237          209.113.190.212
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.895203       30.174.222.156        209.113.190.213
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.896306       20.32.33.147          209.113.190.214
DNS      Dynamic update response[Malformed Packet]

The pflog file captured the following strangeness.  It is a single entry
in the log and is 94405 characters long (I snipped out the middle for
readability).
13:06:11.056733 rule 85/0(match): block in on fxp0: 20.87.190.227.53 >
209.113.190.211.1026:  1024 update [4097q] q: Type0 (Class 0)? ., q:
Type0 (Class 0)? ., <---snip---> Type0 (Class 0)? . 57/57/57 . (Class 0)
Type0[|domain] (DF) (ttl 124, id 40425)

Ethereal shows the following selected information for one of the
packets.  The detail between the <NOTE></NOTE> tags is interesting.
(236 bytes on wire, 96 bytes captured)
    Arrival Time: Mar 29, 2004 13:06:11.056733000
    Time delta from previous packet: 55.343854000 seconds
    Time relative to first packet: 39949.497288000 seconds
    Frame Number: 4944
    Packet Length: 236 bytes
    Capture Length: 96 bytes
Internet Protocol, Src Addr: 20.87.190.227 (20.87.190.227), Dst Addr:
209.113.190.211 (209.113.190.211)
    Source: 20.87.190.227 (20.87.190.227)
    Destination: 209.113.190.211 (209.113.190.211)
User Datagram Protocol, Src Port: domain (53), Dst Port: 1026 (1026)
    Source port: domain (53)
    Destination port: 1026 (1026)
    Length: 188
Domain Name System (response)
    Transaction ID: 0x0400
    Flags: 0xa880 (Dynamic update response, No error)
        1... .... .... .... = Response: Message is a response
        .010 1... .... .... = Opcode: Dynamic update (5)
        .... .0.. .... .... = Authoritative: Server is not an authority
for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query
recursively
        .... .... 1... .... = Recursion available: Server can do
recursive queries
        .... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
        .... .... .... 0000 = Reply code: No error (0)
<NOTE>
    Questions: 4097
    Answer RRs: 57
    Authority RRs: 57
    Additional RRs: 57
    Zone
        <Root>: type unused, class unknown
            Name: <Root>
            Type: unused
            Class: unknown
        <Root>: type unused, class unknown
            Name: <Root>
            Type: unused
            Class: unknown
        <Root>: type unknown, class unknown
            Name: <Root>
            Type: Unknown RR type (248)
            Class: unknown
        <Unknown extended label>: type ANY, class unknown
            Name: <Unknown extended label>
            Type: Request for all records
            Class: unknown
[Malformed Packet: DNS]
</NOTE>

=======================

There are a couple interesting things.  The fact that we got hit on 23
different IPs by 23 distinct source addresses within 53 seconds would
perhaps indicate spoofed IP's from a single machine.  Tracerouting to
each IP succeeds in four hops to the following machine, 65.112.16.5.
Which resolves to <bos-edge-02.inet.qwest.net>, an edge router linking
QWEST and our ISP.  However, TTLs for all 23 captured packets are
inconsistent with this and do not indicate 4 hops.

ARIN lookups on each of the above IP addresses resolves the following
gems:

20.87.190.227 = CSC.com (Computer Sciences Corporation)
36.49.115.79 = IANA Reserved
31.136.221.227 = IANA Reserved
30.31.90.154 = DoD Network Information Center
54.198.211.46 = Merck
23.183.133.136 = IANA Reserved
51.241.219.97 = Dept Social Security of the UK
61.48.97.11 = APIC
47.74.126.220 = Bell Northern Research
18.19.115.205 = MIT
16.51.94.166 = DEC
26.160.38.131 = DoD NIC
29.2.132.185 = DoD NIC
27.11.65.237 = IANA Reserved

So, anyone seen anything like this before?  I'd love to hear what anyone
might have to say about this.  The source Ips are interesting in that
they are not just random broadband customer Ips.  They are all Class A
networks, either reserved or for major organizations.  All terminating
at an edge router for QWEST.  Is this an owned router?


Cheers,

Sean Brown
Director Information Resources
Applied Geographics, Inc.
Boston, MA
617-292-7125 

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Current thread:

Interesting DNS update traffic Sean Brown (Mar 29)
- Re: Interesting DNS update traffic Bill McCarty (Mar 30)
- Re: Interesting DNS update traffic Todd Hayton (Mar 30)
- <Possible follow-ups>
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)