Security Incidents mailing list archives

Re: Strange DNS/TCP activity


From: technot () BERGEN CX (technot)
Date: Thu, 27 Jan 2000 18:23:20 +0100


Our nameservers have been a subject of suspicious probes (?) aimed at TCP
port 53 recently. Here is a genuine tcpdump transcript of one of the
probes (line-wrapped for better readability):

19:50:23.087805 209.67.42.160.2900 > our.nameserver.domain:
  S 1514380992:1514381056(64) win 2048 (ttl 239, id 24887)
  (payload of 64 zeros)
19:50:23.087805 209.67.42.160.2901 > our.nameserver.domain:
  S 1535086518:1535086582(64) win 2048 (ttl 239, id 34386)
  (payload of 64 zeros)
19:50:23.087805 209.67.42.160.2902 > our.nameserver.domain:
  S 338360493:338360557(64) win 2048 (ttl 239, id 18215)
  (payload of 64 zeros)

[ 209.67.42.160 opens three connections, sending 64 zero bytes
  in the SYN datagram?! ]

19:50:23.087805 our.nameserver.domain > 209.67.42.160.2900:
  S 4257621082:4257621082(0) ack 1514380993 win 32736 <mss 536>
  (ttl 63, id 15013)
19:50:23.087805 our.nameserver.domain > 209.67.42.160.2901:
  S 386430030:386430030(0) ack 1535086519 win 32736 <mss 536>
  (ttl 63, id 15014)
19:50:23.087805 our.nameserver.domain > 209.67.42.160.2902:
  S 3536506566:3536506566(0) ack 338360494 win 32736 <mss 536>
  (ttl 63, id 15015)

[ the nameserver accepts these connections ]

19:50:23.327805 209.67.42.160.2900 > our.nameserver.domain:
  R 1514380993:1514380993(0) win 0 (ttl 48, id 1612)
19:50:23.327805 209.67.42.160.2901 > our.nameserver.domain:
  R 1535086519:1535086519(0) win 0 (ttl 48, id 1614)
19:50:23.327805 209.67.42.160.2902 > our.nameserver.domain:
  R 338360494:338360494(0) win 0 (ttl 48, id 1616)

[ 209.67.42.160 resets all connections ]

19:50:23.327805 209.67.42.160.2900 > our.nameserver.domain:
  R 1:1(0) ack 1 win 2048 (ttl 239, id 29835)
19:50:23.327805 209.67.42.160.2901 > our.nameserver.domain:
  R 1:1(0) ack 1 win 2048 (ttl 239, id 40424)
19:50:23.327805 209.67.42.160.2902 > our.nameserver.domain:
  R 1:1(0) ack 1 win 2048 (ttl 239, id 4625)

[ ...and it resets them again?! ]


The clients IP address is changing. Today, I caught 200.211.187.195,
209.67.42.183, 209.67.42.150, 209.67.42.160, and 200.211.187.194.

As far as I can tell, port numbers are always "round" numbers:
100x+0, 100x+1, and 100x+2. ISNs look random.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


This looks to me as beeing a simple bind attack/scan.
There are some public exploits for bind 8.2 and 8.2.1 for linux / unix.
Also i heard roumers of a bind 8.1.1 linux exploit but I have never
actually seen one.
There are some private scanners for scanning C class and B class for bind,
giving out information like this:
-
207.139.235.214  2s                              csdepot.com  0        8.2
-

I did a simple C class scan on 207.139.235.* and 207.139.235.214 is
exploitable using this bind exploit.

If you dont run bind 8.2, 8.2.1 or 8.1.1(?) I wouldn't be worried.

- technot <technot () bergen cx>


Current thread: