UDP IP Frag

[Curley Mr Eric P <CurleyEP () NOC USMC MIL>]

We have been receiving Fragmented IP traffic (we think) from multiple
Chinese Sources.  According to the Fire Wall logs, it looks like they are
querying for root servers.  We had thought that it could be a possible Dos
Attack considering that the fragmented UDP packet at such high volume could
fill up the memory stack but we are not certain of that.  Could it be a
possible DOS like nestea.c?  Has anybody else seen this activity?  Below are
some logs that we have received.  Any help with this would be great.

Eric




ISS Logs: Protocol comes up as UDP

EventDate       EventName       SourcePort      DestinationPort
SourceAddressName       DestinationAddressName

7:39:50 AM      IPFrag          0               0
202.108.43.152          a.b.c.d
10:27:02 AM     IPFrag          0               0
202.108.43.152          a.b.c.d
11:06:22 AM     IPFrag          0               0
202.108.43.151          a.b.c.d
11:07:40 AM     IPFrag          0               0
202.108.43.152          a.b.c.d
1:29:45 PM      IPFrag          0               0
202.108.43.152          a.b.c.d
2:01:01 PM      IPFrag          0               0
202.108.43.152          a.b.c.d
4:21:29 AM      IPFrag          0               0               61.136.61.67
a.b.c.d
4:28:19 AM      IPFrag          0               0               61.134.9.134
a.b.c.d
4:29:10 AM      IPFrag          0               0               61.155.13.3
a.b.c.d
4:36:55 AM      IPFrag          0               0               202.96.96.3
a.b.c.d
4:41:17 AM      IPFrag          0               0
202.101.43.222          a.b.c.d
4:44:40 AM      IPFrag          0               0               61.136.61.68
a.b.c.d
4:47:17 AM      IPFrag          0               0               61.136.61.67
a.b.c.d
4:53:32 AM      IPFrag          0               0               202.96.96.3
a.b.c.d
4:59:16 AM      IPFrag          0               0               61.140.75.4
a.b.c.d
5:10:30 AM      IPFrag          0               0               61.140.75.4
a.b.c.d
5:11:16 AM      IPFrag          0               0               61.134.9.134
a.b.c.d
6:29:34 AM      IPFrag          0               0
202.108.43.152          a.b.c.d
7:19:13 PM      IPFrag          0               0               202.96.96.3
a.b.c.d
7:56:08 PM      IPFrag          0               0               61.140.75.3
a.b.c.d
7:58:27 PM      IPFrag          0               0
202.101.43.222          a.b.c.d
7:59:39 PM      IPFrag          0               0               61.134.9.133
a.b.c.d
8:13:09 PM      IPFrag          0               0               61.155.13.3
a.b.c.d
8:20:03 PM      IPFrag          0               0               61.155.13.3
a.b.c.d
8:22:01 PM      IPFrag          0               0
202.101.43.222          a.b.c.d
8:29:10 PM      IPFrag          0               0               61.136.61.67
a.b.c.d
8:42:26 PM      IPFrag          0               0
202.101.43.223          a.b.c.d
8:49:18 PM      IPFrag          0               0               61.140.75.4
a.b.c.d
8:54:49 PM      IPFrag          0               0               61.136.61.68
a.b.c.d
9:12:41 PM      IPFrag          0               0               61.136.61.68
a.b.c.d
9:13:28 PM      IPFrag          0               0               61.134.9.134
a.b.c.d
9:35:09 PM      IPFrag          0               0               61.134.9.133
a.b.c.d
9:36:59 PM      IPFrag          0               0               61.134.9.134
a.b.c.d
10:36:32 PM     IPFrag          0               0               61.140.75.4
a.b.c.d
10:57:57 PM     IPFrag          0               0
202.108.43.152          a.b.c.d
11:00:27 PM     IPFrag          0               0
202.108.43.151          a.b.c.d
11:01:53 PM     IPFrag          0               0
202.101.43.223          a.b.c.d
12:02:10 PM     IPFrag          0               0
202.108.43.152          a.b.c.d

Fire Wall Logs

grep 61.140.75.3 messages.0
Jan 30 19:58:37 mysite named[2593]: unapproved query from
[61.140.75.3].16475 for "."
Jan 30 20:01:57 mysite named[2593]: unapproved query from
[61.140.75.3].16724 for "."
Jan 30 20:18:11 mysite named[2593]: unapproved query from
[61.140.75.3].17837 for "."
Jan 30 22:44:46 mysite named[16204]: denied query from [61.140.75.3].35867
for "."
[gate1 /var/log]$ grep 61.134.9.133 messages.0
Jan 30 19:48:41 mysite named[2593]: unapproved query from
[61.134.9.133].52749 for "."
Jan 30 20:02:08 mysite named[2593]: unapproved query from
[61.134.9.133].54558 for "."
Jan 30 21:37:38 mysite named[9462]: unapproved query from
[61.134.9.133].3774 for "."
Jan 30 21:43:32 mysite named[9462]: unapproved query from
[61.134.9.133].4846 for "."
Jan 30 21:46:53 mysite named[9462]: unapproved query from
[61.134.9.133].5555 for "."
[gate1 /var/log]$ grep 202.101.43.223 messages.0
Jan 30 20:42:15 mysite named[2593]: unapproved query from
[202.101.43.223].59397 for "."
Jan 30 20:44:56 mysite named[2593]: unapproved query from
[202.101.43.223].60256 for "."
Jan 30 20:46:01 mysite named[2593]: unapproved query from
[202.101.43.223].60613 for "."
Jan 30 23:04:12 mysite named[16204]: denied query from
[202.101.43.223].38924 for "."
[gate1 /var/log]$ grep 61.134.9.134 messages.0
Jan 30 04:30:48 mysite named[2593]: unapproved query from
[61.134.9.134].6568 for "."
Jan 30 05:13:45 mysite named[2593]: unapproved query from
[61.134.9.134].10427 for "."
Jan 30 21:15:57 mysite named[2593]: unapproved query from
[61.134.9.134].38932 for "."
Jan 30 21:39:29 mysite named[9462]: unapproved query from
[61.134.9.134].42018 for "."
Jan 30 23:20:24 mysite named[16204]: denied query from [61.134.9.134].53248
for "."
Jan 30 23:53:07 mysite named[16204]: denied query from [61.134.9.134].55227
for "."
Jan 31 00:14:26 mysite named[16204]: denied query from [61.134.9.134].56936
for "."
[gate1 /var/log]$