Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange DNS/TCP activity

From: bejtlich () TEXAS NET (Richard Bejtlich)
Date: Thu, 27 Jan 2000 20:56:11 -0000

Pavel,

There is no mystery here.  Mark Shaw and I saw the same activity every day,
from some of the same IPs.  SYN packets with 64 bytes of data are 
generated by F5's 3DNS load balancing product.  My last paper describes
this activity, and compares it to a similar product from Cisco -- their
"Distributed Director."  DD sends SYN ACK packets with initial response
numbers and ACK numbers differing by one.  Please reference:

http://bejtlich.home.texas.net/intv2-1.txt

for the latest copy of my paper.

Enjoy (maybe!)

Richard

-----
Our nameservers have been a subject of suspicious probes (?) aimed at TCP
port 53 recently. 
...snip...
[ 209.67.42.160 opens three connections, sending 64 zero bytes
  in the SYN datagram?! ]
...snip...

The clients IP address is changing. Today, I caught 200.211.187.195,
209.67.42.183, 209.67.42.150, 209.67.42.160, and 200.211.187.194.

--Pavel Kankovsky
Previous By Date Next
Previous By Thread Next

Current thread: