Security Incidents: Re: Unwanted DNS connection attempts

[Aj Effin ReznoR <aj () REZNOR COM>]

Richard Bejtlich wrote:
> Alex,
>
> These are most likely round trip time (RTT) latency
> tests from an F5 3DNS load balancer.  I describe
> traffic like this in a paper at http://bejtlich.net
> called "Interpreting Network Traffic."  This traffic is
> bothersome but not malicious.  You can ignore it.  I
> recognize the Exodus source IPs from last year, also.
>
> Richard
> > They are both UDP and TCP, so I also suspect
> zone transfer attempts.
> > Here are the logs, times GMT+0300, ntp stratum 3
> synchronised:
> > Sep  4 20:00:11 ns ipmon[254]: 20:00:10.664287
> ed0 @0:20 b 200.211.187.194,3400 ->
> 192.129.3.227,53 PR tcp len 20 26624 -S IN
> > Sep  4 20:13:32 ns ipmon[254]: 20:13:32.402648
> ed0 @0:20 b 209.67.42.162,2200 ->
> 192.129.3.227,53 PR tcp len 20 26624 -S IN
Alex,

I beg to differ on your last sentence.  Richard's email addy was .ro, which
matches with the destination IP of 192.129.3.227.
The first IP listed above, 200.211.187.194, ARINs to a co. in San Paulo, Brazil.

The second IP, 209.67.42.162, is indeed under Exodus, but "belongs" to a company
in New York called "Starmedia".

I wouldn't blame Exodus for this.  Not entirely at least.  From what I recall of
glancing around in the 2 Exodus centers I've been in, I don't recall seeing any
F5 hardware.

Others in that block follow suit.

-aj.