Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Interesting DNS update traffic

From: Todd Hayton <mhayton () crib corepower com>
Date: Tue, 30 Mar 2004 10:41:35 -0500 (EST)
I've seen similar traffic in my pf logs over the past few days but from a
different set of source ip's:

pflog.txt.1:Mar 27 14:20:01 fwall pf: Mar 27 14:12:46.099138 rule
0/0(match): block in on rl0: 45.251.175.19.53 > 69.140.169.
126.1026:  1024 update [4097q],,,<snip> 72/72/72 (Class 0) Type0[|domain]
(DF)

pflog.txt.2:Mar 26 22:15:01 fwall pf: Mar 26 22:06:16.057139 rule
0/0(match): block in on rl0: 29.159.165.146.53 > 69.140.169
.126.1026:  1024 update [4097q],,,<snip> 30/30/30 (Class 0) Type0[|domain]
(DF)

pflog.txt.3:Mar 25 08:55:01 fwall pf: Mar 25 08:48:50.479744 rule
0/0(match): block in on rl0: 49.56.215.163.53 > 69.140.169.
126.1026:  1024 update [4097q],,,<snip> 35/35/35 (Class 0) Type0[|domain]
(DF)

pflog.txt.3:Mar 25 23:55:02 fwall pf: Mar 25 23:45:11.461962 rule
0/0(match): block in on rl0: 34.109.21.92.53 > 69.140.169.1
26.1026:  1024 update [4097q],,,<snip> 41/41/41 (Class 0) Type0[|domain]
(DF)

pflog.txt.3:Mar 26 01:55:02 fwall pf: Mar 26 01:46:38.706932 rule
0/0(match): block in on rl0: 16.248.135.63.53 > 69.140.169.
126.1026:  1024 update [4097q],,,<snip> 51/51/51 (Class 0) Type0[|domain]
(DF)
...


From the following IPs:


# grep "4097q" pflog.txt* | sed 's/,//g' | awk '{ print $15 }'
37.165.209.17.53
45.251.175.19.53
29.159.165.146.53
49.56.215.163.53
34.109.21.92.53
16.248.135.63.53
21.183.93.198.53
26.11.190.58.53
45.250.18.174.53
58.57.115.104.53
42.233.82.62.53
37.9.150.198.53
204.1.164.107.53
86.44.104.86.53
21.76.6.65.53

Todd H

On Mon, 29 Mar 2004, Sean Brown wrote:


Hi everyone,

While doing some troubleshooting today, I was reviewing today's log from
an OpenBSD 3.3 firewall and I came upon the following suspicious DNS
update traffic.

Time                                  Source
Destination           Protocol Info
2004-03-29 13:06:11.056733     20.87.190.227         209.113.190.211
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:12.468681     36.49.115.79          209.113.190.207
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:14.561772     31.136.221.227        209.113.190.210
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:15.871554     30.31.90.154          209.113.190.205
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:16.150394     54.198.211.46         209.113.190.195
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:17.775273     23.183.133.136        209.113.190.208
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:23.721351     51.241.219.97         209.113.190.194
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:24.647438     61.48.97.11           209.113.190.206
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:26.813833     47.74.126.220         209.113.190.215
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:28.235247     60.202.159.106        209.113.190.198
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:30.515665     31.199.106.90         209.113.190.201
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:35.323170     36.180.174.139        209.113.190.197
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:37.531606     18.19.115.205         209.113.190.199
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:41.338303     16.51.94.166          209.113.190.196
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:43.369206     26.160.38.131         209.113.190.216
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:47.752669     47.210.221.34         209.113.190.209
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:48.584972     20.185.14.226         209.113.190.203
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:06:49.485831     20.9.80.58            209.113.190.202
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.890184     31.9.122.6            209.113.190.200
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.892058     29.2.132.185          209.113.190.204
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.892536     27.11.65.237          209.113.190.212
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.895203     30.174.222.156        209.113.190.213
DNS      Dynamic update response[Malformed Packet]
2004-03-29 13:07:04.896306     20.32.33.147          209.113.190.214
DNS      Dynamic update response[Malformed Packet]

The pflog file captured the following strangeness.  It is a single entry
in the log and is 94405 characters long (I snipped out the middle for
readability).
13:06:11.056733 rule 85/0(match): block in on fxp0: 20.87.190.227.53 >
209.113.190.211.1026:  1024 update [4097q] q: Type0 (Class 0)? ., q:
Type0 (Class 0)? ., <---snip---> Type0 (Class 0)? . 57/57/57 . (Class 0)
Type0[|domain] (DF) (ttl 124, id 40425)

Ethereal shows the following selected information for one of the
packets.  The detail between the <NOTE></NOTE> tags is interesting.
(236 bytes on wire, 96 bytes captured)
    Arrival Time: Mar 29, 2004 13:06:11.056733000
    Time delta from previous packet: 55.343854000 seconds
    Time relative to first packet: 39949.497288000 seconds
    Frame Number: 4944
    Packet Length: 236 bytes
    Capture Length: 96 bytes
Internet Protocol, Src Addr: 20.87.190.227 (20.87.190.227), Dst Addr:
209.113.190.211 (209.113.190.211)
    Source: 20.87.190.227 (20.87.190.227)
    Destination: 209.113.190.211 (209.113.190.211)
User Datagram Protocol, Src Port: domain (53), Dst Port: 1026 (1026)
    Source port: domain (53)
    Destination port: 1026 (1026)
    Length: 188
Domain Name System (response)
    Transaction ID: 0x0400
    Flags: 0xa880 (Dynamic update response, No error)
        1... .... .... .... = Response: Message is a response
        .010 1... .... .... = Opcode: Dynamic update (5)
        .... .0.. .... .... = Authoritative: Server is not an authority
for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query
recursively
        .... .... 1... .... = Recursion available: Server can do
recursive queries
        .... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
        .... .... .... 0000 = Reply code: No error (0)
<NOTE>
    Questions: 4097
    Answer RRs: 57
    Authority RRs: 57
    Additional RRs: 57
    Zone
        <Root>: type unused, class unknown
            Name: <Root>
            Type: unused
            Class: unknown
        <Root>: type unused, class unknown
            Name: <Root>
            Type: unused
            Class: unknown
        <Root>: type unknown, class unknown
            Name: <Root>
            Type: Unknown RR type (248)
            Class: unknown
        <Unknown extended label>: type ANY, class unknown
            Name: <Unknown extended label>
            Type: Request for all records
            Class: unknown
[Malformed Packet: DNS]
</NOTE>

=======================

There are a couple interesting things.  The fact that we got hit on 23
different IPs by 23 distinct source addresses within 53 seconds would
perhaps indicate spoofed IP's from a single machine.  Tracerouting to
each IP succeeds in four hops to the following machine, 65.112.16.5.
Which resolves to <bos-edge-02.inet.qwest.net>, an edge router linking
QWEST and our ISP.  However, TTLs for all 23 captured packets are
inconsistent with this and do not indicate 4 hops.

ARIN lookups on each of the above IP addresses resolves the following
gems:

20.87.190.227 = CSC.com (Computer Sciences Corporation)
36.49.115.79 = IANA Reserved
31.136.221.227 = IANA Reserved
30.31.90.154 = DoD Network Information Center
54.198.211.46 = Merck
23.183.133.136 = IANA Reserved
51.241.219.97 = Dept Social Security of the UK
61.48.97.11 = APIC
47.74.126.220 = Bell Northern Research
18.19.115.205 = MIT
16.51.94.166 = DEC
26.160.38.131 = DoD NIC
29.2.132.185 = DoD NIC
27.11.65.237 = IANA Reserved

So, anyone seen anything like this before?  I'd love to hear what anyone
might have to say about this.  The source Ips are interesting in that
they are not just random broadband customer Ips.  They are all Class A
networks, either reserved or for major organizations.  All terminating
at an edge router for QWEST.  Is this an owned router?


Cheers,

Sean Brown
Director Information Resources
Applied Geographics, Inc.
Boston, MA
617-292-7125

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: