Security Incidents mailing list archives

Re: DNS UDP Dos Attack?

From: Wlodek <wlodek () INFOSERVE NET>
Date: Fri, 2 Mar 2001 15:32:50 -0800

I have similar situation but from different hosts and different ports
In my case I consider this as DoS form two networks running win New
Technology
I even contacted the rep. of the companies but they laugh in my face.
all these are from Canadian UUNet network
Or maybe I'm bit parano....
regards
wlodek
here from my logs
02:14 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.43 port 138 to 209.53.203.255 port 138
Feb 21 12:02:27 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.22 port 137 to 209.53.200.255 port 137
Feb 21 12:02:27 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.33 port 137 to 209.53.200.255 port 137
Feb 21 12:02:27 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.33 port 137 to 209.53.200.255 port 137
Feb 21 12:02:27 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.22 port 137 to 209.53.200.255 port 137
Feb 21 12:02:28 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.22 port 137 to 209.53.200.255 port 137
Feb 21 12:02:28 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.33 port 137 to 209.53.200.255 port 137
Feb 21 12:02:32 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.22 port 137 to 209.53.200.255 port 137
Feb 21 12:02:32 helium /kernel: drawbridge: UDP incoming port: from
209.53.200.33 port 137 to 209.53.200.255 port 137
eb 21 12:05:08 helium /kernel: drawbridge: UDP incoming port: from
209.53.201.254 port 138 to 209.53.207.255 port 138
Feb 21 12:05:09 helium /kernel: drawbridge: UDP incoming port: from
209.53.201.254 port 137 to 209.53.207.255 port 137
Feb 21 12:05:13 helium last message repeated 5 times
Feb 21 12:05:13 helium /kernel: drawbridge: UDP incoming port: from
209.53.201.254 port 138 to 209.53.207.255 port 138
Feb 21 12:05:14 helium /kernel: drawbridge: UDP incoming port: from
209.53.201.254 port 137 to 209.53.207.255 port 137
Feb 21 12:05:15 helium last message repeated 3 times
----- Original Message -----
From: James Kelty <james () TUNA ORG>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, March 02, 2001 2:46 PM
Subject: DNS UDP Dos Attack?


Hello,

 I am receiving ton of attempted UDP connections to an internal host.
Connecting to this host is stopped at my firewall, but my firewall is
paying a stiff price. I have seen the available memory on my firewall
go down my 1-2 Mbg per minute while it trys to block all this traffic.

Has anyone seen systems trying to reach a DNS host via UDP to port
42326?

Here is a snippet of log files.

UDP out 209.10.34.23:8541 in 209.11.137.71:42326 idle 0:32:24 flags -
UDP out 209.10.34.39:29277 in 209.11.137.71:42326 idle 0:33:26 flags -
UDP out 207.235.38.3:28931 in 209.11.137.71:42326 idle 0:32:42 flags -
UDP out 209.10.34.39:33373 in 209.11.137.71:42326 idle 0:33:38 flags
D-
UDP out 206.190.71.2:33812 in 209.11.137.71:42326 idle 0:33:49 flags
D-
UDP out 193.141.40.42:1437 in 209.11.137.71:42326 idle 0:35:19 flags -
UDP out 63.91.4.4:12673 in 209.11.137.71:42326 idle 0:34:49 flags -

Thanks for any help!

-James

Current thread:

DNS UDP Dos Attack? James Kelty (Mar 02)
- Re: DNS UDP Dos Attack? Wlodek (Mar 02)
  - Re: DNS UDP Dos Attack? Aaron Schultz (Mar 03)
  - FROM port 137 TO port 137 Bryan Bradsby (Mar 03)
- Re: DNS UDP Dos Attack? Gary Maltzen (Mar 04)