Security Incidents mailing list archives
Interesting DNS update traffic
From: "Sean Brown" <srbrown () appgeo com>
Date: Mon, 29 Mar 2004 16:56:17 -0500
Hi everyone, While doing some troubleshooting today, I was reviewing today's log from an OpenBSD 3.3 firewall and I came upon the following suspicious DNS update traffic. Time Source Destination Protocol Info 2004-03-29 13:06:11.056733 20.87.190.227 209.113.190.211 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:12.468681 36.49.115.79 209.113.190.207 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:14.561772 31.136.221.227 209.113.190.210 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:15.871554 30.31.90.154 209.113.190.205 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:16.150394 54.198.211.46 209.113.190.195 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:17.775273 23.183.133.136 209.113.190.208 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:23.721351 51.241.219.97 209.113.190.194 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:24.647438 61.48.97.11 209.113.190.206 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:26.813833 47.74.126.220 209.113.190.215 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:28.235247 60.202.159.106 209.113.190.198 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:30.515665 31.199.106.90 209.113.190.201 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:35.323170 36.180.174.139 209.113.190.197 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:37.531606 18.19.115.205 209.113.190.199 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:41.338303 16.51.94.166 209.113.190.196 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:43.369206 26.160.38.131 209.113.190.216 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:47.752669 47.210.221.34 209.113.190.209 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:48.584972 20.185.14.226 209.113.190.203 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:06:49.485831 20.9.80.58 209.113.190.202 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:07:04.890184 31.9.122.6 209.113.190.200 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:07:04.892058 29.2.132.185 209.113.190.204 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:07:04.892536 27.11.65.237 209.113.190.212 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:07:04.895203 30.174.222.156 209.113.190.213 DNS Dynamic update response[Malformed Packet] 2004-03-29 13:07:04.896306 20.32.33.147 209.113.190.214 DNS Dynamic update response[Malformed Packet] The pflog file captured the following strangeness. It is a single entry in the log and is 94405 characters long (I snipped out the middle for readability). 13:06:11.056733 rule 85/0(match): block in on fxp0: 20.87.190.227.53 > 209.113.190.211.1026: 1024 update [4097q] q: Type0 (Class 0)? ., q: Type0 (Class 0)? ., <---snip---> Type0 (Class 0)? . 57/57/57 . (Class 0) Type0[|domain] (DF) (ttl 124, id 40425) Ethereal shows the following selected information for one of the packets. The detail between the <NOTE></NOTE> tags is interesting. (236 bytes on wire, 96 bytes captured) Arrival Time: Mar 29, 2004 13:06:11.056733000 Time delta from previous packet: 55.343854000 seconds Time relative to first packet: 39949.497288000 seconds Frame Number: 4944 Packet Length: 236 bytes Capture Length: 96 bytes Internet Protocol, Src Addr: 20.87.190.227 (20.87.190.227), Dst Addr: 209.113.190.211 (209.113.190.211) Source: 20.87.190.227 (20.87.190.227) Destination: 209.113.190.211 (209.113.190.211) User Datagram Protocol, Src Port: domain (53), Dst Port: 1026 (1026) Source port: domain (53) Destination port: 1026 (1026) Length: 188 Domain Name System (response) Transaction ID: 0x0400 Flags: 0xa880 (Dynamic update response, No error) 1... .... .... .... = Response: Message is a response .010 1... .... .... = Opcode: Dynamic update (5) .... .0.. .... .... = Authoritative: Server is not an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 1... .... = Recursion available: Server can do recursive queries .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) <NOTE> Questions: 4097 Answer RRs: 57 Authority RRs: 57 Additional RRs: 57 Zone <Root>: type unused, class unknown Name: <Root> Type: unused Class: unknown <Root>: type unused, class unknown Name: <Root> Type: unused Class: unknown <Root>: type unknown, class unknown Name: <Root> Type: Unknown RR type (248) Class: unknown <Unknown extended label>: type ANY, class unknown Name: <Unknown extended label> Type: Request for all records Class: unknown [Malformed Packet: DNS] </NOTE> ======================= There are a couple interesting things. The fact that we got hit on 23 different IPs by 23 distinct source addresses within 53 seconds would perhaps indicate spoofed IP's from a single machine. Tracerouting to each IP succeeds in four hops to the following machine, 65.112.16.5. Which resolves to <bos-edge-02.inet.qwest.net>, an edge router linking QWEST and our ISP. However, TTLs for all 23 captured packets are inconsistent with this and do not indicate 4 hops. ARIN lookups on each of the above IP addresses resolves the following gems: 20.87.190.227 = CSC.com (Computer Sciences Corporation) 36.49.115.79 = IANA Reserved 31.136.221.227 = IANA Reserved 30.31.90.154 = DoD Network Information Center 54.198.211.46 = Merck 23.183.133.136 = IANA Reserved 51.241.219.97 = Dept Social Security of the UK 61.48.97.11 = APIC 47.74.126.220 = Bell Northern Research 18.19.115.205 = MIT 16.51.94.166 = DEC 26.160.38.131 = DoD NIC 29.2.132.185 = DoD NIC 27.11.65.237 = IANA Reserved So, anyone seen anything like this before? I'd love to hear what anyone might have to say about this. The source Ips are interesting in that they are not just random broadband customer Ips. They are all Class A networks, either reserved or for major organizations. All terminating at an edge router for QWEST. Is this an owned router? Cheers, Sean Brown Director Information Resources Applied Geographics, Inc. Boston, MA 617-292-7125 --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Interesting DNS update traffic Sean Brown (Mar 29)
- Re: Interesting DNS update traffic Bill McCarty (Mar 30)
- Re: Interesting DNS update traffic Todd Hayton (Mar 30)
- <Possible follow-ups>
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)