Security Incidents mailing list archives

Re: Unwanted DNS connection attempts

From: Richard Bejtlich <bejtlich () ALTAVISTA NET>
Date: Wed, 6 Sep 2000 01:11:15 -0000

Alex,

These are most likely round trip time (RTT) latency 
tests from an F5 3DNS load balancer.  I describe 
traffic like this in a paper at http://bejtlich.net 
called "Interpreting Network Traffic."  This traffic is 
bothersome but not malicious.  You can ignore it.  I 
recognize the Exodus source IPs from last year, also.

Richard

-----

I have a nameserver that also acts as a gateway,

and I see these weird

scans.  They seem to have started yesterday, but

the thing I do not

understand is why are they directed to the external

interface, on

which I have no name service.

[snip]

They are both UDP and TCP, so I also suspect

zone transfer attempts.


Here are the logs, times GMT+0300, ntp stratum 3

synchronised:


Sep  4 20:00:11 ns ipmon[254]: 20:00:10.664287

ed0 @0:20 b 200.211.187.194,3400 -> 
192.129.3.227,53 PR tcp len 20 26624 -S IN

Sep  4 20:13:32 ns ipmon[254]: 20:13:32.402648

ed0 @0:20 b 209.67.42.162,2200 -> 
192.129.3.227,53 PR tcp len 20 26624 -S IN

Sep  4 20:13:32 ns ipmon[254]: 20:13:32.404608

ed0 @0:20 b 209.67.42.162,2201 -> 
192.129.3.227,53 PR tcp len 20 26624 -S IN

Sep  4 20:13:32 ns ipmon[254]: 20:13:32.405572

ed0 @0:20 b 209.67.42.162,2202 -> 
192.129.3.227,53 PR tcp len 20 26624 -S IN

Sep  4 20:22:42 ns ipmon[254]: 20:22:41.308808

ed0 @0:20 b 209.67.42.162,2100 -> 
192.129.3.227,53 PR tcp len 20 26624 -S IN

Sep  4 20:22:42 ns ipmon[254]: 20:22:41.309599

ed0 @0:20 b 209.67.42.162,2101 -> 
192.129.3.227,53 PR tcp len 20 26624 -S IN

Sep  4 20:27:37 ns ipmon[254]: 20:27:37.283549

ed0 @0:20 b 209.67.42.162,3700 -> 
192.129.3.227,53 PR tcp len 20 26624 -S IN

Sep  4 20:27:37 ns ipmon[254]: 20:27:37.284494

ed0 @0:20 b 209.67.42.162,3701 -> 
192.129.3.227,53 PR tcp len 20 26624 -S IN

Sep  4 20:27:37 ns ipmon[254]: 20:27:37.287349

ed0 @0:20 b 209.67.42.162,3702 -> 

[snip]

------------+------------------------------------------
Alex Popa,  |There never was a good war or a bad

peace

razor () ldc ro|                   -- B. Franklin
------------+------------------------------------------

Current thread:

Unwanted DNS connection attempts razor (Sep 05)
- <Possible follow-ups>
- Re: Unwanted DNS connection attempts Richard Bejtlich (Sep 05)
  - Re: Unwanted DNS connection attempts Aj Effin ReznoR (Sep 05)
    - Re: detecting "trinity v3 by self" DDoS agent Philippe Bourcier (Sep 06)
    - Re: Unwanted DNS connection attempts Aj Effin ReznoR (Sep 06)
- Re: Unwanted DNS connection attempts Richard Bejtlich (Sep 06)