|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bryan Andersen (bryan
visi.com)Date: Tue May 15 2001 - 12:00:57 CDT
I've seen lots of dns MX record requests whenever I post
to a debian list. There are literally hundreds of requests.
Usually on the order of 700-900 each time. They are full
MX record requests. This is relatively new. I'm wondering
if a default configuration has changed such that MX records
are looked up for incomming mail. It also could be something
else.
"Keith.Morgan" wrote:
>
> We've been seeing these as well. But not just to personal firewalls. I've
> seen them on cable modems, dsl lines, and corporate T-1's.
>
> I'm cross-posting this because I've seen references to this type of activity
> on multiple lists.
>
> I'm a bit baffled by this. The source port is always 53, with a random
> destination port. And they appear to be replies to me as well. A
> possibility is that we're being used as decoy addresses in some sort of
> scanning. However, since the addresses are *SO* random, this tends to rule
> out nmap as a scanner using --randomize-hosts. Nmap will randomize, but
> when fed a really large network block to scan, it will scan within three or
> so class C networks at a time.
>
> Are there other scanning tools with the ability to use spoofed decoy
> addresses, yet provide better randomization than nmap when scanning?
>
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> keith.morganterradon.com
> 304-755-8291 x142
>
>
> > -----Original Message-----
> > From: Ben Alexander [mailto:balexanderpmg.net]
> > Sent: Monday, May 14, 2001 10:25 AM
> > To: 'n9ubhcallsign.net'
> > Cc: 'focus-linuxsecurityfocus.com'
> > Subject: RE: DNS Floods to personal firewalls
> >
> >
> > I received these as well, and I know a few others that
> > receive them also.
> > Using arin whois, here is what I put together:
> >
> > [140.239.176.162/17221] HarvardNet
> > [165.121.70.75/64551] Earthlink
> > [194.205.125.26/41123] European Regional Internet Registry
> > [194.213.64.150/47642] European Regional Internet Registry
> > [202.139.133.129/41595] Asia Pacific Network Information Center
> > [203.194.166.182/38808] Asia Pacific Network Information Center
> > [203.208.128.70/12235] Asia Pacific Network Information Center
> > [207.55.138.206/61929] "Verio, Inc."
> > [208.184.162.71/53567] Abovenet Communications
> > [209.249.97.40/45714] Abovenet Communications
> > [212.23.225.98/57974] European Regional Internet Registry
> > [212.78.160.237/29368] European Regional Internet Registry
> > [216.220.39.42/21602] "Myna Communications, Inc."
> > [216.33.35.214/21092] Exodus Communications
> > [216.34.68.2/45906] Exodus Communications
> > [216.35.167.58/32470] Exodus Communications
> > [62.23.80.2/55543] European Regional Internet Registry
> > [62.26.119.34/56523] European Regional Internet Registry
> > [63.209.147.246/54734] Level 3 Communications
> > [64.14.200.154/32735] Exodus Communications
> > [64.37.200.46/65042] Exodus Communications
> > [64.56.174.186/14237] Exodus Communications
> > [64.78.235.14/17768] "Verado, Inc. (Firstworld Communications)"
> >
> > > -----Original Message-----
> > > From: ssratMAILBAG.COM [mailto:ssratMAILBAG.COM]
> > > Sent: Sunday, May 06, 2001 10:24 PM
> > > To: FOCUS-LINUXSECURITYFOCUS.COM
> > > Subject: DNS Floods to personal firewalls
> > >
> > >
> > > There seems to be lots of these happening. They appear to be some
> > > kind of DNS replies, but are getting rejected by the
> > firewall - these
> > > reports are coming from the Linux Router Project (LRP) list.
> > >
> > > I've asked for a tcpdump to be sent, as I've not seen
> > these; could it
> > > be a DNS server somewhere was taken over, or some kind of
> > attack tool
> > > generates the same spoofed addresses?
> > >
> > > So far the main report details are the reject lines from ipchains in
> > > /var/logs/messages.
> > >
> > > Here is a portion one person posted:
> > >
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 208.184.162.71:34387 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 202.139.133.129:47571 203.59.110.14:53 L=44 S=0x00 I=0
> > F=0x0000 T=241
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 203.208.128.70:16146 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=247
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 194.205.125.26:42786 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=242
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 209.249.97.40:34126 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=236
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 216.33.35.214:15928 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 140.239.176.162:11843 203.59.110.14:53 L=44 S=0x00 I=0
> > F=0x0000 T=237
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 216.34.68.2:38839 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 207.55.138.206:24678 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=238
> > > (#37)
> > > May 6 14:39:57 tifa kernel: Packet log: input DENY ppp0 PROTO=6
> > > 216.35.167.58:24169 203.59.110.14:53 L=44 S=0x00 I=0 F=0x0000 T=237
> > > (#37)
> > >
> > > He has the entire thing in an URL:
> > > http://members.iinet.net.au/~paulhng/lrp/kernlog.txt
> > >
> > > It also appears that the same IPs are reported over and over again.
> > > It has the markings of some kind of tool I think - but I'm new at
> > > this.
-- | Bryan Andersen | bryan
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]