Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DNS Floods to personal firewalls (mystery solved?)

From: "Keith.Morgan" <Keith.Morgan () Terradon com>
Date: Wed, 16 May 2001 10:46:11 -0400
Ok folks.  I've done some investigation with a number of providers.  Here's
what we believe is happening.  There's an organization called "mirror-image"
(see http://www.mirror-image.com running an application that "tries to find
shortest vector distance between http request, and http reply."  Thier
application used to use high ports, but apparently, they've recently changed
to using port 53.  I'll be contacting thier development team today to ask
why they would use port 53 (to avoid firewalls dropping the packets?) as
opposed to 80, or high ports.  

Every provider I contacted (the ones that were even vaguely cooperative)
hosted, or otherwise did business with these folks at mirror-image.  It
appears that the mystery may be solved.




-----Original Message-----
From: Thomas Roessler [mailto:roessler () does-not-exist org]
Sent: Wednesday, May 16, 2001 5:02 AM
To: Keith.Morgan
Cc: 'focus-linux () securityfocus com'; 'incidents () securityfocus com';
Michael Linke; n9ubh () callsign net
Subject: Re: DNS Floods to personal firewalls


Last night, I could observe a pattern similar (but not identical!) 
to the one you report: There was a whole slew of TCP packets to port 
53, all with the SYN and ACK bits set. (These packets were cought by 
the stateful packet filter of linux 2.4.)

I looked the list of source IP addresses you compiled, and found 
that 21 of them are occuring in my logs, too.

The same characteristic also applies to the logs at 
http://members.iinet.net.au/~paulhng/lrp/kernlog.txt which David 
posted, and which are 10 days old. (!)

On de.comp.security.firewall, "Michael Linke" <ml () globetrotter de> 
has been talking about what he describes as "little DDoS attacks 
(20-30 clients) with SYN ACK packets to port 53", which looks like 
he is seeing the same activities we are observing.

My own logs are attached.  Also, here's a summary of the IP 
addresses and where they occur.  keith means that the address was in 
your list, tifa means that it was in kernlog.txt (it's the host name 
there), and sobolev means that it was in my logs (host name once 
again).

140.239.176.162       keith   sobolev tifa    
165.121.70.75                 keith                   *
194.205.125.26                keith   sobolev tifa    
194.213.64.150                keith   sobolev tifa    
202.139.133.129       keith   sobolev tifa    
203.194.166.182       keith   sobolev tifa    
203.208.128.70                keith   sobolev tifa    
207.55.138.206                keith   sobolev tifa    
208.184.162.71                keith   sobolev tifa    
209.249.97.40                 keith   sobolev tifa    
212.23.225.98                 keith   sobolev tifa    
212.78.160.237                keith           tifa    *
212.78.164.193                        sobolev         *
216.220.39.42                 keith   sobolev tifa    
216.33.35.214                 keith   sobolev tifa    
216.34.68.2           keith   sobolev tifa    
216.35.167.58                 keith   sobolev tifa    
62.23.80.2            keith   sobolev tifa    
62.26.119.34          keith   sobolev tifa    
63.209.147.246                keith   sobolev tifa    
64.14.200.154                 keith   sobolev tifa    
64.37.200.46          keith   sobolev tifa    
64.56.174.186                 keith   sobolev tifa    
64.78.235.14          keith   sobolev tifa    

Note, in particular, that a whole lot of these addresses are 
occuring in all three log files.  However, one IP only occured on 
sobolev, one IP is only included with Keith's list, and one IP was 
observed by Keith and on tifa, but not on sobolev.

Anyway, I don't have any conclusions to offer on this, but maybe 
soemone else can offer reasonable ideas.


On 2001-05-15 09:50:06 -0400, Keith.Morgan wrote:

Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
From: "Keith.Morgan" <Keith.Morgan () Terradon com>
To: "'focus-linux () securityfocus com'" <focus-linux () securityfocus com>
Cc: "'incidents () securityfocus com'" <incidents () securityfocus com>
Subject: RE: DNS Floods to personal firewalls
Date: Tue, 15 May 2001 09:50:06 -0400
X-Mailer: Internet Mail Service (5.5.2650.21)

We've been seeing these as well.  But not just to personal 

firewalls.  I've

seen them on cable modems, dsl lines, and corporate T-1's.   

I'm cross-posting this because I've seen references to this 

type of activity

on multiple lists.

I'm a bit baffled by this.  The source port is always 53, 

with a random

destination port.  And they appear to be replies to me as well.  A
possibility is that we're being used as decoy addresses in 

some sort of

scanning.  However, since the addresses are *SO* random, 

this tends to rule

out nmap as a scanner using --randomize-hosts.  Nmap will 

randomize, but

when fed a really large network block to scan, it will scan 

within three or

so class C networks at a time.  

Are there other scanning tools with the ability to use spoofed decoy
addresses, yet provide better randomization than nmap when scanning?

Keith T. Morgan
Chief of Information Security
Terradon Communications
keith.morgan () terradon com
304-755-8291 x142



-----Original Message-----
From: Ben Alexander [mailto:balexander () pmg net]
Sent: Monday, May 14, 2001 10:25 AM
To: 'n9ubh () callsign net'
Cc: 'focus-linux () securityfocus com'
Subject: RE: DNS Floods to personal firewalls


I received these as well, and I know a few others that 
receive them also.
Using arin whois, here is what I put together:

[140.239.176.162/17221]    HarvardNet
[165.121.70.75/64551]      Earthlink
[194.205.125.26/41123]     European Regional Internet Registry
[194.213.64.150/47642]     European Regional Internet Registry
[202.139.133.129/41595]    Asia Pacific Network Information Center
[203.194.166.182/38808]    Asia Pacific Network Information Center
[203.208.128.70/12235]     Asia Pacific Network Information Center
[207.55.138.206/61929]     "Verio, Inc."
[208.184.162.71/53567]     Abovenet Communications
[209.249.97.40/45714]      Abovenet Communications
[212.23.225.98/57974]      European Regional Internet Registry
[212.78.160.237/29368]     European Regional Internet Registry
[216.220.39.42/21602]      "Myna Communications, Inc."
[216.33.35.214/21092]      Exodus Communications
[216.34.68.2/45906]        Exodus Communications
[216.35.167.58/32470]      Exodus Communications
[62.23.80.2/55543] European Regional Internet Registry
[62.26.119.34/56523]       European Regional Internet Registry
[63.209.147.246/54734]     Level 3 Communications
[64.14.200.154/32735]      Exodus Communications
[64.37.200.46/65042]       Exodus Communications
[64.56.174.186/14237]      Exodus Communications
[64.78.235.14/17768]       "Verado, Inc. (Firstworld 

Communications)"



-----Original Message-----
From: ssrat () MAILBAG COM [mailto:ssrat () MAILBAG COM]
Sent: Sunday, May 06, 2001 10:24 PM
To: FOCUS-LINUX () SECURITYFOCUS COM
Subject: DNS Floods to personal firewalls


There seems to be lots of these happening.  They appear 

to be some

kind of DNS replies, but are getting rejected by the 

firewall - these

reports are coming from the Linux Router Project (LRP) list.

I've asked for a tcpdump to be sent, as I've not seen 

these; could it

be a DNS server somewhere was taken over, or some kind of 

attack tool

generates the same spoofed addresses?

So far the main report details are the reject lines from 

ipchains in

/var/logs/messages.

Here is a portion one person posted:

May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
208.184.162.71:34387 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=236

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
202.139.133.129:47571 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=241

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
203.208.128.70:16146 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=247

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
194.205.125.26:42786 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=242

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
209.249.97.40:34126 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=236

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
216.33.35.214:15928 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=237

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
140.239.176.162:11843 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=237

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
216.34.68.2:38839 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
207.55.138.206:24678 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=238

(#37)
May  6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
216.35.167.58:24169 203.59.110.14:53 L=44 S=0x00 I=0 

F=0x0000 T=237

(#37)

He has the entire thing in an URL:
http://members.iinet.net.au/~paulhng/lrp/kernlog.txt

It also appears that the same IPs are reported over and 

over again.

It has the markings of some kind of tool I think - but I'm new at
this.


--
David Douthitt
UNIX Systems Administrator
HP-UX, Unixware, Linux
n9ubh () callsign net







-- 
Thomas Roessler                        http://log.does-not-exist.org/
Previous By Date Next
Previous By Thread Next

Current thread: