Re: FW: Question for DNS pros

[Frank Knobbe <frank () knobbe us>]

On Tue, 2004-08-03 at 10:21, Paul Schmehl wrote:
> That's interesting.  The address being targeted here was *also* a firewall 
> PAT address.  I'm starting to wonder if this is some sort of a recon tool 
> to get past firewalls.  That would explain why they're using port 53 
> (normally open) and udp (stateless).  If they get any kind of response at 
> all, they've identified a live host.

I'm not sure it qualifies as a recon as it only hits the firewall
address, no other address. It seems to know the exact address. It
appears to be triggered by something that originates from our networks,
but I wasn't able to capture anything. It may be as old as a bounce
email a month ago, or access to a web site a month ago. The dump
supplied was filtered on that one address over most of the night. As you
can see there are no packets going to that address and provoking this
traffic as a response. Considering the thing on my end started last
week, it seems plausible that the trigger occurred around that time, or
even earlier (as there were one or two probes over a month ago).

Also worth noting is that this is on a single address within the main
two class C's. This client also has other networks connected to the
Internet which carry local traffic, and these do not receive these
probes. The vast majority (of this large shop) goes through the
redundant class C's. So the trigger appears to be rather rare and not
wide spread. Also noteworthy is the fact that this client is pretty
clean when it comes to viruses, so I'm ruling that out as a trigger as
well. But something had to have happened as it is so targeted....
hopefully through correlation we can shed some light on this. 

Later,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part