Security Incidents mailing list archives
RE: Interesting DNS update traffic
From: "Sean Brown" <srbrown () appgeo com>
Date: Mon, 29 Mar 2004 22:32:56 -0500
One thing I forgot to mention. Source port is always 53 and while it is malformed, it does possess characteristics of
a DNS Dynamic Update response, albeit always with 4096 questions. Also, the destination port is always 1026. Don't
know why I didn't mention this before. I've seen the increase in 1026 scans over the last 20 days or so. However, I
haven't seen any mention of these types of malformed DNS response packets in the discussion on the increase of UDP
1026. Each packet generates a log entry with over 94000 characters so a few really fills up the logs fast.
Also, my first post mentioned that traceroutes were terminating at a Qwest border router. Actually, the traceroutes
response I was getting back from the Qwest router were network unreachable messages. So, I'm back to thinking these
might be spoofed. The DNS updates are being blocked so I'm not too worries about it. However, I wouldn't mind
identifying this or getting some correlation with someone else who is seeing the same thing. I imagine others must be
seeing this.
Cheers,
Sean
-----Original Message-----
From: Sean Brown
Sent: Mon 3/29/2004 4:56 PM
To: incidents () securityfocus com
Cc: srbrown () nyx net
Subject: Interesting DNS update traffic
Hi everyone,
While doing some troubleshooting today, I was reviewing today's log from
an OpenBSD 3.3 firewall and I came upon the following suspicious DNS
update traffic.
Time Source
Destination Protocol Info
2004-03-29 13:06:11.056733 20.87.190.227 209.113.190.211
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:12.468681 36.49.115.79 209.113.190.207
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:14.561772 31.136.221.227 209.113.190.210
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:15.871554 30.31.90.154 209.113.190.205
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:16.150394 54.198.211.46 209.113.190.195
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:17.775273 23.183.133.136 209.113.190.208
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:23.721351 51.241.219.97 209.113.190.194
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:24.647438 61.48.97.11 209.113.190.206
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:26.813833 47.74.126.220 209.113.190.215
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:28.235247 60.202.159.106 209.113.190.198
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:30.515665 31.199.106.90 209.113.190.201
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:35.323170 36.180.174.139 209.113.190.197
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:37.531606 18.19.115.205 209.113.190.199
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:41.338303 16.51.94.166 209.113.190.196
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:43.369206 26.160.38.131 209.113.190.216
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:47.752669 47.210.221.34 209.113.190.209
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:48.584972 20.185.14.226 209.113.190.203
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:06:49.485831 20.9.80.58 209.113.190.202
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.890184 31.9.122.6 209.113.190.200
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.892058 29.2.132.185 209.113.190.204
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.892536 27.11.65.237 209.113.190.212
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.895203 30.174.222.156 209.113.190.213
DNS Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.896306 20.32.33.147 209.113.190.214
DNS Dynamic update response[Malformed Packet]
The pflog file captured the following strangeness. It is a single entry
in the log and is 94405 characters long (I snipped out the middle for
readability).
13:06:11.056733 rule 85/0(match): block in on fxp0: 20.87.190.227.53 >
209.113.190.211.1026: 1024 update [4097q] q: Type0 (Class 0)? ., q:
Type0 (Class 0)? ., <---snip---> Type0 (Class 0)? . 57/57/57 . (Class 0)
Type0[|domain] (DF) (ttl 124, id 40425)
Ethereal shows the following selected information for one of the
packets. The detail between the <NOTE></NOTE> tags is interesting.
(236 bytes on wire, 96 bytes captured)
Arrival Time: Mar 29, 2004 13:06:11.056733000
Time delta from previous packet: 55.343854000 seconds
Time relative to first packet: 39949.497288000 seconds
Frame Number: 4944
Packet Length: 236 bytes
Capture Length: 96 bytes
Internet Protocol, Src Addr: 20.87.190.227 (20.87.190.227), Dst Addr:
209.113.190.211 (209.113.190.211)
Source: 20.87.190.227 (20.87.190.227)
Destination: 209.113.190.211 (209.113.190.211)
User Datagram Protocol, Src Port: domain (53), Dst Port: 1026 (1026)
Source port: domain (53)
Destination port: 1026 (1026)
Length: 188
Domain Name System (response)
Transaction ID: 0x0400
Flags: 0xa880 (Dynamic update response, No error)
1... .... .... .... = Response: Message is a response
.010 1... .... .... = Opcode: Dynamic update (5)
.... .0.. .... .... = Authoritative: Server is not an authority
for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query
recursively
.... .... 1... .... = Recursion available: Server can do
recursive queries
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... .... 0000 = Reply code: No error (0)
<NOTE>
Questions: 4097
Answer RRs: 57
Authority RRs: 57
Additional RRs: 57
Zone
<Root>: type unused, class unknown
Name: <Root>
Type: unused
Class: unknown
<Root>: type unused, class unknown
Name: <Root>
Type: unused
Class: unknown
<Root>: type unknown, class unknown
Name: <Root>
Type: Unknown RR type (248)
Class: unknown
<Unknown extended label>: type ANY, class unknown
Name: <Unknown extended label>
Type: Request for all records
Class: unknown
[Malformed Packet: DNS]
</NOTE>
=======================
There are a couple interesting things. The fact that we got hit on 23
different IPs by 23 distinct source addresses within 53 seconds would
perhaps indicate spoofed IP's from a single machine. Tracerouting to
each IP succeeds in four hops to the following machine, 65.112.16.5.
Which resolves to <bos-edge-02.inet.qwest.net>, an edge router linking
QWEST and our ISP. However, TTLs for all 23 captured packets are
inconsistent with this and do not indicate 4 hops.
ARIN lookups on each of the above IP addresses resolves the following
gems:
20.87.190.227 = CSC.com (Computer Sciences Corporation)
36.49.115.79 = IANA Reserved
31.136.221.227 = IANA Reserved
30.31.90.154 = DoD Network Information Center
54.198.211.46 = Merck
23.183.133.136 = IANA Reserved
51.241.219.97 = Dept Social Security of the UK
61.48.97.11 = APIC
47.74.126.220 = Bell Northern Research
18.19.115.205 = MIT
16.51.94.166 = DEC
26.160.38.131 = DoD NIC
29.2.132.185 = DoD NIC
27.11.65.237 = IANA Reserved
So, anyone seen anything like this before? I'd love to hear what anyone
might have to say about this. The source Ips are interesting in that
they are not just random broadband customer Ips. They are all Class A
networks, either reserved or for major organizations. All terminating
at an edge router for QWEST. Is this an owned router?
Cheers,
Sean Brown
Director Information Resources
Applied Geographics, Inc.
Boston, MA
617-292-7125
Current thread:
- Interesting DNS update traffic Sean Brown (Mar 29)
- Re: Interesting DNS update traffic Bill McCarty (Mar 30)
- Re: Interesting DNS update traffic Todd Hayton (Mar 30)
- <Possible follow-ups>
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)
- RE: Interesting DNS update traffic Sean Brown (Mar 30)