Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DNS Floods to personal firewalls

From: Steve R <steve () extranet co nz>
Date: Wed, 16 May 2001 10:18:50 +1200
16/05/01 01:50:06, "Keith.Morgan" <Keith.Morgan () Terradon com> wrote:

I've seen this for that last few months, about the same time there was a discussion re a 
Cisco product for load balancing DNS, global distributed director I think.

It's always seems to occur shortly after surfing to certain web sites, Simple Nomads -
Razor, and one or two of the formula 1 sites.

Is it possible these aren't actually spoofed addressed, but valid DNS responses that are 
either mis-timed, or as above related to distributed DNS servers that the firewall isn't 
expecting responses from?

Cheers, 
        SteveR


We've been seeing these as well.  But not just to personal firewalls.  I've
seen them on cable modems, dsl lines, and corporate T-1's.   

I'm cross-posting this because I've seen references to this type of activity
on multiple lists.

I'm a bit baffled by this.  The source port is always 53, with a random
destination port.  And they appear to be replies to me as well.  A
possibility is that we're being used as decoy addresses in some sort of
scanning.  However, since the addresses are *SO* random, this tends to rule
out nmap as a scanner using --randomize-hosts.  Nmap will randomize, but
when fed a really large network block to scan, it will scan within three or
so class C networks at a time.  

Are there other scanning tools with the ability to use spoofed decoy
addresses, yet provide better randomization than nmap when scanning?

Keith T. Morgan
Chief of Information Security
Terradon Communications
keith.morgan () terradon com
304-755-8291 x142



-----Original Message-----
From: Ben Alexander [mailto:balexander () pmg net]
Sent: Monday, May 14, 2001 10:25 AM
To: 'n9ubh () callsign net'
Cc: 'focus-linux () securityfocus com'
Subject: RE: DNS Floods to personal firewalls


I received these as well, and I know a few others that 
receive them also.
Using arin whois, here is what I put together:

[140.239.176.162/17221]      HarvardNet
[165.121.70.75/64551]        Earthlink
[194.205.125.26/41123]       European Regional Internet Registry
[194.213.64.150/47642]       European Regional Internet Registry
[202.139.133.129/41595]      Asia Pacific Network Information Center
[203.194.166.182/38808]      Asia Pacific Network Information Center
[203.208.128.70/12235]       Asia Pacific Network Information Center
[207.55.138.206/61929]       "Verio, Inc."
[208.184.162.71/53567]       Abovenet Communications
[209.249.97.40/45714]        Abovenet Communications
[212.23.225.98/57974]        European Regional Internet Registry
[212.78.160.237/29368]       European Regional Internet Registry
[216.220.39.42/21602]        "Myna Communications, Inc."
[216.33.35.214/21092]        Exodus Communications
[216.34.68.2/45906]  Exodus Communications
[216.35.167.58/32470]        Exodus Communications
[62.23.80.2/55543]   European Regional Internet Registry
[62.26.119.34/56523] European Regional Internet Registry
[63.209.147.246/54734]       Level 3 Communications
[64.14.200.154/32735]        Exodus Communications
[64.37.200.46/65042] Exodus Communications
[64.56.174.186/14237]        Exodus Communications
[64.78.235.14/17768] "Verado, Inc. (Firstworld Communications)"


-----Original Message-----
From: ssrat () MAILBAG COM [mailto:ssrat () MAILBAG COM]
Sent: Sunday, May 06, 2001 10:24 PM
To: FOCUS-LINUX () SECURITYFOCUS COM
Subject: DNS Floods to personal firewalls


There seems to be lots of these happening.  They appear to be some
kind of DNS replies, but are getting rejected by the 

firewall - these

reports are coming from the Linux Router Project (LRP) list.

I've asked for a tcpdump to be sent, as I've not seen 

these; could it

be a DNS server somewhere was taken over, or some kind of 

attack tool

generates the same spoofed addresses?

So far the main report details are the reject lines from ipchains in
/var/logs/messages.

Here is a portion one person posted:

May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
208.184.162.71:34387 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236
(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
202.139.133.129:47571 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=241

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
203.208.128.70:16146 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=247
(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
194.205.125.26:42786 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=242
(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
209.249.97.40:34126 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236
(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
216.33.35.214:15928 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
140.239.176.162:11843 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=237

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
216.34.68.2:38839 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
207.55.138.206:24678 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=238
(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
216.35.167.58:24169 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
(#37)

He has the entire thing in an URL:
http://members.iinet.net.au/~paulhng/lrp/kernlog.txt

It also appears that the same IPs are reported over and over again.
It has the markings of some kind of tool I think - but I'm new at
this.


--
David Douthitt
UNIX Systems Administrator
HP-UX, Unixware, Linux
n9ubh () callsign net








Steve Rielly
Security Engineer
Extranet Technologies Limited
Level 3, 60 Cook St, Auckland, New Zealand
P.O. Box 7726, Wellesley Street, Auckland, New Zealand
Ph: +649 377 1122, Mob: 025 835530 Fax: +649 377 1109
Previous By Date Next
Previous By Thread Next

Current thread: