Strange DNS stuff

["Anthony Buser" <ABuser () UnConundrum com>]

Hi I was wondering if anyone can help me out with an odd dns problem I'm
having.  For some reason our DNS appears to be getting corrupted and
random sites resolve to the following ip address: 212.69.172.16 which is
a webpage that says just the following text:

Willkommen am Weiterleitungsserver, 
Die Webweiterleitung ist noch nicht eingerichtet.

(the german translates to basically, welcome to the forward server, the
forwarding isn't done yet, pretty harmless, but when websites start
going to a plain german website I got a lot of calls)

Sometimes it redirects to: http://212.69.172.16/forward.php

Which talks about how my DNS may have been attacked or have a wrong
configuration, but doesn't give any more info beyond that.

Our DNS servers are running win2k DNS.  Upon looking at the event viewer
I'm getting a lot of messages saying "event id: 5504, The DNS server
encountered an invalid domain name in a packet from x.x.x.x. The packet
is rejected."  It seems as though I'm being attacked and someone may be
messing with my DNS cache.  How, I don't know.  These messages are
coming from the following ip addresses:

63.239.93.60
63.239.93.61
66.60.156.146

All of which appear to belong to the University of New Haven.  I tried
contacting them via email but all addresses to newhaven.com appear to
fail.  I have contacted upstream people, awaiting response.  That last
ip address 66.60.156.146 worries me that someone is messing around
because it lists courses having to do with firewalls, viruses, and
cyberterrorism (gah!).

I'm running snort, but it hasn't seemed to pick up anything unusual.

I tried running tcpdump on our firewall to try and see what's going on.
Unfortunately I'm not very experienced with reading tcpdump output, so I
don't quite know whats going on:

tcpdump -vvne src host 66.60.156.146 or 63.239.93.60 or 63.239.93.61

13:37:48.274749 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
66.60.156.146.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10]  (ttl
53, id 17536)
13:37:48.274865 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
66.60.156.146.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10]  (ttl
52, id 17536)
13:37:48.314866 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.61.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 39714)
13:37:48.314972 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
63.239.93.61.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 39714)
13:37:52.339289 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195:
63.239.93.60.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 16316)
13:37:52.339350 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195:
63.239.93.60.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0
all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR
www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 16316)

Clearing the DNS cache solves the problem, but it started to creep back
in, so I've blocked all traffic from those ip addresses to see if that
stops it from happening again.

Any insight would be greatfully appreciated.  Thanks!

- Anthony Buser

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com