Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [inbox] RE: Bogus DNS traffic

From: John Sage <jsage () finchhaven com>
Date: Thu, 30 Oct 2003 09:24:14 -0800
David:

On Fri, Oct 24, 2003 at 08:35:20AM -0700, David Gillett wrote:

  Just to clarify:


/* snip */


  And to reiterate:

  Several people have suggested I check

http://people.ists.dartmouth.edu/~gbakos/bindsweep/

I have, and it appears to describe exactly what I'm seeing.
Thank you.


Do you have any full packet captures?

I've just been looking at some interesting UDP 53:53 traffic that
seems to contain sets of IP address:port 53 pairs, each terminated by
hex 0x00 viz:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/29-07:22:27.796597 10.0.98.93:53 -> 67.119.168.10:53
UDP TTL:127 TOS:0x0 ID:8647 IpLen:20 DgmLen:95
Len: 75
05
   43 77 A8 0A 35 00
                     51 48 11 94 35 00
                                       18 46 5F  .Cw..5.QH..5..F_
CB 35 00
         00 00 00 00 00 00 00 00 00 00 00 00 00  .5..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00                                         ...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[jsage@sparky /storage/virii] $ 2 hd 43 77 A8 0A 35
67
119
168
10
53

67.119.168.10:53

[jsage@sparky /storage/virii] $ host 67.119.168.10
10.168.119.67.in-addr.arpa domain name pointer
  adsl-67-119-168-10.dsl.frsn01.pacbell.net.


[jsage@sparky /storage/virii] $ 2 hd 51 48 11 94 35
81
72
17
148
53

81.72.17.148:53

[jsage@sparky /storage/virii] $ host 81.72.17.148
148.17.72.81.in-addr.arpa domain name pointer
  host148-17.pool8172.interbusiness.it.


[jsage@sparky /storage/virii] $ 2 hd 18 46 5F CB 35
24
70
95
203
53

24.70.95.203:53

Request: 24.70.95.203
connected to whois.arin.net [192.149.252.43:43] ...
 
OrgName:    Shaw Communications Inc.
OrgID:      SHAWC
Address:    Suite 800
Address:    630 - 3rd Ave. SW
City:       Calgary
StateProv:  AB
PostalCode: T2P-4L4
Country:    CA




- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: