Full Disclosure mailing list archives
Re: FW: Question for DNS pros
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 03 Aug 2004 11:48:52 -0500
On Tue, 2004-08-03 at 10:21, Paul Schmehl wrote:
That's interesting. The address being targeted here was *also* a firewall PAT address. I'm starting to wonder if this is some sort of a recon tool to get past firewalls. That would explain why they're using port 53 (normally open) and udp (stateless). If they get any kind of response at all, they've identified a live host.
I'm not sure it qualifies as a recon as it only hits the firewall address, no other address. It seems to know the exact address. It appears to be triggered by something that originates from our networks, but I wasn't able to capture anything. It may be as old as a bounce email a month ago, or access to a web site a month ago. The dump supplied was filtered on that one address over most of the night. As you can see there are no packets going to that address and provoking this traffic as a response. Considering the thing on my end started last week, it seems plausible that the trigger occurred around that time, or even earlier (as there were one or two probes over a month ago). Also worth noting is that this is on a single address within the main two class C's. This client also has other networks connected to the Internet which carry local traffic, and these do not receive these probes. The vast majority (of this large shop) goes through the redundant class C's. So the trigger appears to be rather rare and not wide spread. Also noteworthy is the fact that this client is pretty clean when it comes to viruses, so I'm ruling that out as a trigger as well. But something had to have happened as it is so targeted.... hopefully through correlation we can shed some light on this. Later, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Mark (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros grutz (Aug 03)