Security Incidents mailing list archives
Re: Strange DNS/TCP activity
From: bejtlich () TEXAS NET (Richard Bejtlich)
Date: Thu, 27 Jan 2000 20:56:11 -0000
Pavel, There is no mystery here. Mark Shaw and I saw the same activity every day, from some of the same IPs. SYN packets with 64 bytes of data are generated by F5's 3DNS load balancing product. My last paper describes this activity, and compares it to a similar product from Cisco -- their "Distributed Director." DD sends SYN ACK packets with initial response numbers and ACK numbers differing by one. Please reference: http://bejtlich.home.texas.net/intv2-1.txt for the latest copy of my paper. Enjoy (maybe!) Richard ----- Our nameservers have been a subject of suspicious probes (?) aimed at TCP port 53 recently. ...snip... [ 209.67.42.160 opens three connections, sending 64 zero bytes in the SYN datagram?! ] ...snip... The clients IP address is changing. Today, I caught 200.211.187.195, 209.67.42.183, 209.67.42.150, 209.67.42.160, and 200.211.187.194. --Pavel Kankovsky
Current thread:
- Possible attemt at hacking?, (continued)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
- Re: Strange DNS/TCP activity Asmodeus (Jan 27)
- Re: Strange DNS/TCP activity Roy Pait (Jan 27)
- port 768 Guido A.J. Stevens (Jan 27)
- Re: port 768 Robert Graham (Jan 27)
- Re: Strange DNS/TCP activity technot (Jan 27)
- Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
- Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
- Re: Korea (again) Kim R. Rasmussen (Jan 26)
- Re: Korea (again) zeek (Jan 27)
- Re: Korea (again) Kim Roland Rasmussen (Jan 27)
- Re: Korea (again) Thomas Molina (Jan 27)
- Re: Korea (again) Rob Quinn (Jan 28)
- Re: Korea (again) Granquist, Lamont (Jan 27)
- Re: Korea (was RE: ?) horio shoichi (Jan 26)
- Re: Korea (was RE: ?) David Brumley (Jan 27)
- Re: Korea (was RE: ?) Patrick Oonk (Jan 28)