Re: DNS Floods to personal firewalls

[Bryan Andersen <bryan () visi com>]

I've seen lots of dns MX record requests whenever I post 
to a debian list. There are literally hundreds of requests.  
Usually on the order of 700-900 each time.  They are full 
MX record requests.  This is relatively new.  I'm wondering 
if a default configuration has changed such that MX records 
are looked up for incomming mail.  It also could be something 
else.

"Keith.Morgan" wrote:
> We've been seeing these as well.  But not just to personal firewalls.  I've
> seen them on cable modems, dsl lines, and corporate T-1's.
>
> I'm cross-posting this because I've seen references to this type of activity
> on multiple lists.
>
> I'm a bit baffled by this.  The source port is always 53, with a random
> destination port.  And they appear to be replies to me as well.  A
> possibility is that we're being used as decoy addresses in some sort of
> scanning.  However, since the addresses are *SO* random, this tends to rule
> out nmap as a scanner using --randomize-hosts.  Nmap will randomize, but
> when fed a really large network block to scan, it will scan within three or
> so class C networks at a time.
>
> Are there other scanning tools with the ability to use spoofed decoy
> addresses, yet provide better randomization than nmap when scanning?
>
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> keith.morgan () terradon com
> 304-755-8291 x142
>
>
> > -----Original Message-----
> > From: Ben Alexander [mailto:balexander () pmg net]
> > Sent: Monday, May 14, 2001 10:25 AM
> > To: 'n9ubh () callsign net'
> > Cc: 'focus-linux () securityfocus com'
> > Subject: RE: DNS Floods to personal firewalls
> >
> >
> > I received these as well, and I know a few others that
> > receive them also.
> > Using arin whois, here is what I put together:
> >
> > [140.239.176.162/17221]       HarvardNet
> > [165.121.70.75/64551] Earthlink
> > [194.205.125.26/41123]        European Regional Internet Registry
> > [194.213.64.150/47642]        European Regional Internet Registry
> > [202.139.133.129/41595]       Asia Pacific Network Information Center
> > [203.194.166.182/38808]       Asia Pacific Network Information Center
> > [203.208.128.70/12235]        Asia Pacific Network Information Center
> > [207.55.138.206/61929]        "Verio, Inc."
> > [208.184.162.71/53567]        Abovenet Communications
> > [209.249.97.40/45714] Abovenet Communications
> > [212.23.225.98/57974] European Regional Internet Registry
> > [212.78.160.237/29368]        European Regional Internet Registry
> > [216.220.39.42/21602] "Myna Communications, Inc."
> > [216.33.35.214/21092] Exodus Communications
> > [216.34.68.2/45906]   Exodus Communications
> > [216.35.167.58/32470] Exodus Communications
> > [62.23.80.2/55543]    European Regional Internet Registry
> > [62.26.119.34/56523]  European Regional Internet Registry
> > [63.209.147.246/54734]        Level 3 Communications
> > [64.14.200.154/32735] Exodus Communications
> > [64.37.200.46/65042]  Exodus Communications
> > [64.56.174.186/14237] Exodus Communications
> > [64.78.235.14/17768]  "Verado, Inc. (Firstworld Communications)"
> >
> > > -----Original Message-----
> > > From: ssrat () MAILBAG COM [mailto:ssrat () MAILBAG COM]
> > > Sent: Sunday, May 06, 2001 10:24 PM
> > > To: FOCUS-LINUX () SECURITYFOCUS COM
> > > Subject: DNS Floods to personal firewalls
> > >
> > >
> > > There seems to be lots of these happening.  They appear to be some
> > > kind of DNS replies, but are getting rejected by the
> > firewall - these
> > > reports are coming from the Linux Router Project (LRP) list.
> > >
> > > I've asked for a tcpdump to be sent, as I've not seen
> > these; could it
> > > be a DNS server somewhere was taken over, or some kind of
> > attack tool
> > > generates the same spoofed addresses?
> > >
> > > So far the main report details are the reject lines from ipchains in
> > > /var/logs/messages.
> > >
> > > Here is a portion one person posted:
> > >
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 208.184.162.71:34387 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 202.139.133.129:47571 203.59.110.14:53 L=44 S=0x00 I=0
> > F=0x0000 T=241
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 203.208.128.70:16146 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=247
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 194.205.125.26:42786 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=242
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 209.249.97.40:34126 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 216.33.35.214:15928 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 140.239.176.162:11843 203.59.110.14:53 L=44 S=0x00 I=0
> > F=0x0000 T=237
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 216.34.68.2:38839 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 207.55.138.206:24678 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=238
> > > (#37)
> > > May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 216.35.167.58:24169 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
> > > (#37)
> > >
> > > He has the entire thing in an URL:
> > > http://members.iinet.net.au/~paulhng/lrp/kernlog.txt
> > >
> > > It also appears that the same IPs are reported over and over again.
> > > It has the markings of some kind of tool I think - but I'm new at
> > > this.


-- 
|  Bryan Andersen   |   bryan () visi com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |