Security Incidents mailing list archives

Re: DNS Floods to personal firewalls

From: yves.soun () certa scssi gouv fr
Date: Thu, 17 May 2001 11:04:56 +0200

This traffic appears to be the result of an RTT measurement whichinvolve mirror-image servers. According to Mirror-image, a loadbalancer (Cisco's Distributed Director) is used.

More on DRP-RTT metric:http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm

I see all the nodes quoted in following list except 165.121.70.75 and212.78.164.193.


I think ACK flag and port 53 are used to bypass router's filters.


Yves Soun.


--------------- CERTA (French Governmental CSIRT) ---------------
        Phone:  (+33) 1 41 46 25 23
        Fax:    (+33) 1 41 46 37 01
        E-mail: CERTA-svp () certa scssi gouv fr
-----------------------------------------------------------------

On 2001-05-16 11:02:29 +0200, Thomas Roessler wrote:

The same characteristic also applies to the logs athttp://members.iinet.net.au/~paulhng/lrp/kernlog.txt which Davidposted, and which are 10 days old. (!)

Asking google for a randomly selected common IP address from thelist, I found<http://my.maceast.com/homevision-u-l/ace-l/linux-router-l/%2330765452>,where Nicolas Riendeau reports a similar scan which happened onApril 13, 2001.

Taking his log file entries ("MrShield") into account, the table ofattackers' IP addresses looks like this now:


140.239.176.162 keith   sobolev tifa    mrshield
165.121.70.75           keith
194.205.125.26          keith   sobolev tifa    mrshield
194.213.64.150          keith   sobolev tifa    mrshield
202.139.133.129 keith   sobolev tifa    mrshield
203.194.166.182 keith   sobolev tifa    mrshield
203.208.128.70          keith   sobolev tifa    mrshield
207.55.138.206          keith   sobolev tifa
208.184.162.71          keith   sobolev tifa    mrshield
209.249.97.40           keith   sobolev tifa    mrshield
212.23.225.98           keith   sobolev tifa    mrshield
212.78.160.237          keith           tifa    mrshield
212.78.164.193                  sobolev
216.220.39.42           keith   sobolev tifa    mrshield
216.33.35.214           keith   sobolev tifa    mrshield
216.34.68.2             keith   sobolev tifa    mrshield
216.35.167.58           keith   sobolev tifa
62.23.80.2              keith   sobolev tifa    mrshield
62.26.119.34            keith   sobolev tifa    mrshield
63.209.147.246          keith   sobolev tifa    mrshield
64.14.200.154           keith   sobolev tifa
64.37.200.46            keith   sobolev tifa    mrshield
64.56.174.186           keith   sobolev tifa    mrshield
64.78.235.14            keith   sobolev tifa

Maybe what we are seeing here are mostly decoy addresses used bysome tool with an extremely bad RNG?


--
Thomas Roessler                        http://log.does-not-exist.org/

Current thread:

RE: DNS Floods to personal firewalls Keith.Morgan (May 15)
- Re: DNS Floods to personal firewalls Bryan Andersen (May 15)
- Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
  - Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
    - Re: DNS Floods to personal firewalls Thomas Roessler (May 16)
    - Re: DNS Floods to personal firewalls yves . soun (May 17)
- <Possible follow-ups>
- RE: DNS Floods to personal firewalls Steve R (May 16)