Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

BIND scan data

From: "Jeffrey D. Carter" <jeffc () SHORE NET>
Date: Tue, 27 Mar 2001 10:52:58 -0500
Port 53 (DNS) probes over the last 6 weeks. 2 machines - one is a
name server for several obscure domains, the other does not run a
name server at all.

The name server is configured via an acl entry to deny & log all
version.bind requests -- after all, *I* know what version it is,
and it's nobody else's da&%^&* business.

The other machine/IP address is firewalled, and drops & logs all
unauthorized packets. Below are just the DNS probes.

All timestamps are NTP synchronized, US/Eastern (GMT-0500).

As you can see, there is a lot of correlation from the version.bind
requests to the dropped probes. This indicates that these are
not due to some kind of DNS tree walk, but are instead a wide
scan. Note that there are other non-version.bind scans going
on too.

Jeff Carter
jeffc () shore net

Logs follow
=====
Denied "version.bind" probes to my name server (logging activatated
February 8):

Feb 11 14:46:58 named[260]: denied query from [209.233.217.54].2200 for "version.bind"
Feb 13 09:16:37 named[260]: denied query from [24.21.214.135].2353 for "version.bind"
Feb 14 18:05:53 named[260]: denied query from [64.45.192.50].1407 for "version.bind"
Feb 14 18:05:53 named[260]: denied query from [64.45.192.50].1406 for "version.bind"
Feb 16 09:50:54 named[261]: denied query from [38.144.72.132].2511 for "version.bind"
Feb 18 04:46:59 named[261]: denied query from [195.80.165.48].1691 for "version.bind"
Feb 20 02:38:51 named[261]: denied query from [158.42.67.37].4513 for "version.bind"
Feb 20 08:56:52 named[261]: denied query from [211.36.42.130].1767 for "version.bind"
Feb 20 08:56:55 named[261]: denied query from [211.36.42.130].1782 for "version.bind"
Feb 21 04:46:12 named[261]: denied query from [199.172.192.20].1101 for "version.bind"
Feb 24 10:45:40 named[261]: denied query from [128.242.207.7].3514 for "version.bind"
Feb 25 22:18:06 named[261]: denied query from [64.224.114.33].4835 for "version.bind"
Feb 25 22:18:06 named[261]: denied query from [64.224.114.33].4871 for "version.bind"
Feb 26 15:32:17 named[261]: denied query from [216.234.186.57].4750 for "version.bind"
Feb 27 23:52:12 named[261]: denied query from [211.0.10.131].4410 for "version.bind"
Mar  2 22:14:29 named[261]: denied query from [212.67.193.72].3506 for "version.bind"
Mar  3 06:49:24 named[261]: denied query from [202.39.75.10].2153 for "version.bind"
Mar  8 00:54:07 named[261]: denied query from [206.138.81.160].4038 for "version.bind"
Mar 18 03:54:42 named[261]: denied query from [134.68.50.245].4090 for "version.bind"
Mar 18 17:44:29 named[261]: denied query from [209.123.121.159].1053 for "version.bind"
Mar 20 04:24:52 named[261]: denied query from [216.40.195.104].3196 for "version.bind"
Mar 20 18:51:02 named[261]: denied query from [211.62.39.37].1252 for "VERSION.BIND"
Mar 21 23:50:26 named[261]: denied query from [211.195.119.131].2421 for "version.bind"
Mar 22 19:04:12 named[261]: denied query from [211.45.188.54].4112 for "version.bind"
Mar 24 03:49:46 named[261]: denied query from [64.45.60.234].2806 for "version.bind"

non-nameserver machine in same (/29) subnet, same time period:

Feb 11 14:21:08 drop in tcp syn 209.233.217.54:3502 209.58.151.30:53 (60)
Feb 11 18:18:43 drop in tcp syn 216.200.138.80:1658 209.58.151.30:53 (60)
Feb 12 06:44:58 drop in tcp syn 216.109.142.60:53 209.58.151.30:53 (40)
Feb 12 15:24:25 drop in tcp syn 211.171.255.179:3229 209.58.151.30:53 (60)
Feb 13 09:16:37 drop in tcp syn 24.21.214.135:53 209.58.151.30:53 (40)
Feb 14 18:05:53 drop in tcp syn 64.45.192.50:53 209.58.151.30:53 (40)
Feb 16 09:50:54 drop in tcp syn 38.144.72.132:3217 209.58.151.30:53 (60)
Feb 16 09:50:57 drop in tcp syn 38.144.72.132:3217 209.58.151.30:53 (60)
Feb 16 21:10:19 drop in tcp syn 63.198.248.132:3830 209.58.151.30:53 (60)
Feb 17 07:20:34 drop in tcp syn 210.218.88.203:1636 209.58.151.30:53 (60)
Feb 17 07:20:37 drop in tcp syn 210.218.88.203:1636 209.58.151.30:53 (60)
Feb 18 04:46:58 drop in tcp syn 195.80.165.48:4540 209.58.151.30:53 (60)
Feb 18 04:47:01 drop in tcp syn 195.80.165.48:4540 209.58.151.30:53 (60)
Feb 18 20:23:45 drop in tcp syn 198.77.1.24:65065 209.58.151.30:53 (40)
Feb 19 22:01:54 drop in tcp syn 198.6.245.6:23755 209.58.151.30:53 (40)
Feb 20 02:38:50 drop in tcp syn 158.42.67.37:53 209.58.151.30:53 (40)
Feb 20 08:56:51 drop in tcp syn 211.36.42.130:53 209.58.151.30:53 (40)
Feb 21 04:20:37 drop in tcp syn 199.172.192.20:1401 209.58.151.30:53 (60)
Feb 23 05:50:38 drop in tcp syn 208.22.88.2:53 209.58.151.30:53 (40)
Feb 24 10:45:36 drop in tcp syn 128.242.207.7:53 209.58.151.30:53 (40)
Feb 25 20:13:20 drop in tcp syn 204.216.246.33:2018 209.58.151.30:53 (60)
Feb 25 22:18:06 drop in tcp syn 64.224.114.33:53 209.58.151.30:53 (40)
Feb 26 15:32:17 drop in udp 216.234.186.57:4746 209.58.151.30:53 (58)
Feb 27 06:21:43 drop in tcp syn 209.246.122.251:37512 209.58.151.30:53 (40)
Feb 27 14:59:22 drop in tcp syn 209.25.248.245:53 209.58.151.30:53 (40)
Feb 27 23:52:10 drop in tcp syn 211.0.10.131:53 209.58.151.30:53 (40)
Mar  1 03:53:10 drop in tcp syn 212.38.64.10:12360 209.58.151.30:53 (40)
Mar  2 17:35:13 drop in tcp syn 38.151.149.21:3934 209.58.151.30:53 (60)
Mar  3 06:49:25 drop in udp 202.39.75.10:2287 209.58.151.30:53 (58)
Mar  3 12:42:36 drop in tcp syn 213.254.180.225:53 209.58.151.30:53 (40)
Mar  4 14:07:21 drop in tcp syn 200.202.120.51:53 209.58.151.30:53 (40)
Mar  8 00:54:07 drop in tcp syn 206.138.81.160:4583 209.58.151.30:53 (60)
Mar  9 05:04:49 drop in tcp syn 212.211.196.100:53 209.58.151.30:53 (40)
Mar 11 16:53:52 drop in tcp syn 202.98.13.13:1771 209.58.151.30:53 (60)
Mar 13 16:09:16 drop in tcp syn 207.87.250.50:53 209.58.151.30:53 (40)
Mar 14 06:49:40 drop in tcp syn 202.109.73.66:53 209.58.151.30:53 (40)
Mar 14 21:34:43 drop in tcp syn 209.190.218.64:4408 209.58.151.30:53 (60)
Mar 14 21:34:49 drop in tcp syn 209.190.218.64:4408 209.58.151.30:53 (60)
Mar 18 01:03:34 drop in tcp syn 210.119.127.61:1096 209.58.151.30:53 (60)
Mar 18 01:03:37 drop in tcp syn 210.119.127.61:1096 209.58.151.30:53 (60)
Mar 18 03:54:42 drop in tcp syn 134.68.50.245:1198 209.58.151.30:53 (60)
Mar 18 03:54:45 drop in tcp syn 134.68.50.245:1198 209.58.151.30:53 (60)
Mar 18 17:44:29 drop in udp 209.123.121.159:1301 209.58.151.30:53 (58)
Mar 20 04:24:52 drop in tcp syn 216.40.195.104:3663 209.58.151.30:53 (60)
Mar 20 04:24:55 drop in tcp syn 216.40.195.104:3663 209.58.151.30:53 (60)
Mar 20 18:50:59 drop in tcp syn 211.62.39.37:2032 209.58.151.30:53 (60)
Mar 20 18:51:02 drop in tcp syn 211.62.39.37:2032 209.58.151.30:53 (60)
Mar 21 00:52:26 drop in tcp syn 200.245.179.36:3179 209.58.151.30:53 (60)
Mar 21 00:52:29 drop in tcp syn 200.245.179.36:3179 209.58.151.30:53 (60)
Mar 21 14:19:08 drop in tcp syn 163.15.64.253:1554 209.58.151.30:53 (60)
Mar 21 14:19:11 drop in tcp syn 163.15.64.253:1554 209.58.151.30:53 (60)
Mar 21 23:50:25 drop in tcp syn 211.195.119.131:1136 209.58.151.30:53 (60)
Mar 21 23:50:28 drop in tcp syn 211.195.119.131:1136 209.58.151.30:53 (60)
Mar 22 19:04:11 drop in tcp syn 211.45.188.54:53 209.58.151.30:53 (40)
Mar 23 16:14:36 drop in tcp syn 211.34.13.130:3165 209.58.151.30:53 (60)
Mar 24 03:49:46 drop in tcp syn 64.45.60.234:1913 209.58.151.30:53 (60)
Previous By Date Next
Previous By Thread Next

Current thread: