RE: SYN/ACK to port 53

["DeCamp, Paul" <PDeCamp () MedManageSystems com>]

Good job at hunting this down, and thanks for the information.

This actually clears things up quite a bit.  At first look I thought this
was some sort of Bind exploit being launched at us, but it puzzled me why
none of our other DNS servers were being hit with it.  Add to that the fact
that the series of hits always come from the same sources (by the way
Andreas, the same addresses that hit your home system yesterday), and only
on one of the perimeter IP addresses, I was really starting to wonder what
was going on.

Thanks again, and also to all the others that responded directly.

------------------
Paul DeCamp, IT Operations Lead
MedManage Systems Inc.
Voice:  (425) 354-2212
E-Mail: PDeCamp () medmanagesystems com

> -----Original Message-----
> From: Keith.Morgan [mailto:Keith.Morgan () Terradon com]
> Sent: Thursday, May 24, 2001 2:00 PM
> To: 'DeCamp, Paul'
> Cc: 'incidents () securityfocus com'
> Subject: RE: SYN/ACK to port 53
>
>
> We've nailed this down.  Several of us got into some pretty in-depth
> investigation on this matter starting about the middle of this month.
>
> There is a company called "mirror-image."  See 
> http://www.mirror-image.com.
>
> They are using Cisco' distributed content director.  This 
> calculates the
> shortest distance between an http-get and and http reply.  
> For some insane
> reason, they have decided to configure thier content director 
> to poll on
> port 53.  Every time one of your users browses to one of 
> thier customer's
> sites, you're going to get flooded with these syn-ack packets 
> destined for
> port 53.  I'm still awaiting some sort of answer from the 
> folks at mirror
> image.
>
> One should note, that I don't believe Cisco's distributed 
> content director
> is configured to use port 53 by default.  My understanding is that it
> normally uses high ports, but again, for unknown reasons, the folks at
> mirror image (and possibly others) have decided to use port 53.
>
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> keith.morgan () terradon com
> 304-755-8291 x142
>
>
> > -----Original Message-----
> > From: DeCamp, Paul [mailto:PDeCamp () MedManageSystems com]
> > Sent: Thursday, May 24, 2001 2:33 PM
> > To: INCIDENTS (E-mail)
> > Subject: SYN/ACK to port 53
> >
> >
> > OK, this is beginning to drive me nuts.  Since about February 
> > of this year,
> > our firewall has been periodically hit with what can only 
> be a probe,
> > attack, whatever to port 53.  Every time the scan exhibits 
> > the same behavior
> > and is from the same set of IP addresses.
> >
> > A SYN/ACK packet is sent to TCP port 53.  No SYN was sent 
> > from our system.
> > The SYN & ACK sequence numbers appear to be random, but the 
> > ACK is always 1
> > less than the SYN.  Our system responds with a RST to the ACK.
> >
> > I have searched books, the Internet (SANS, SecuityFocus, 
> > etc.), and while I
> > have found other reports of somewhat-simlar activity, I have 
> > to this day
> > found no coherent explanation as to what this is.  Based on 
> > the SYN/ACK
> > numbers, this is obviously some sort of malformed packet, 
> but to what
> > purpose?  To spoof our system into thinking that it has sent 
> > a SYN when it
> > hasn't?  Is it a type of SYN flood?  To hijack a port on our 
> > system?  A scan
> > for some trojan?
> >
> > Any assistance would be appreciated, and better yet, any 
> > advice as to where
> > on the Internet is a good location for looking up such 
> > obviously abnormal
> > activity and what possible explanations may be.  Thanks.
> >
> > ------------------
> > Paul DeCamp, IT Operations Lead
> > MedManage Systems Inc.
> > Voice:  (425) 354-2212
> > E-Mail: PDeCamp () medmanagesystems com