Full Disclosure mailing list archives
Re: FW: Question for DNS pros
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 03 Aug 2004 17:52:37 -0500
On Tue, 2004-08-03 at 15:28, Mark wrote:
I'd say I'm pretty much seeing the same thing from the following 14 addresses. 202.103.67.196 - appears in dshield -- check 218.25.41.136 - does not appear in dshield -- check 218.30.23.100 - appears in dshield -- check 218.30.23.161 - does not appear in dshield -- nope 218.30.23.162 - appears in dshield -- nope 218.75.110.194 - appears in dshield -- check 61.135.158.170 - does not appear in dshield -- check 61.135.158.171 - appears in dshield -- check 61.135.158.28 - appears in dshield -- check 61.135.158.29 - appears in dshield -- check 61.135.158.30 - does not appear in dshield --check 61.135.158.31 - does not appear in dshield -- check 61.135.158.34 - does not appear in dshield -- check 61.135.158.35 - does not appear in dshield -- check
I see those, and I raise you the following :) 61.145.121.16 63.210.252.135 63.240.26.10 64.170.177.10 66.150.165.7 216.154.239.240 218.75.110.194
I was guessing it was targeting suspected DNS servers based on it seeing queries at some point. The target is the dynamic NAT address of one of our internal DNS servers, DNS is the only service running on that box and the only thing that server is allowed to do to the outside world is DNS queries.
Good, so it appears that the "trigger" are DNS queries then (I confirmed that internal DNS queries appear from my targeted address as well). This falls further in line with Paul's findings. So, I'm speculating that a DNS lookup to something somewhere results in these IP's performing the observed theatrics (two UDP DNS queries, one TCP SYN scan with payload, and one ICMP ping). Let's see: 61.135.158.28-35, 61.135.158.170-171, 61.145.121.16, 202.103.67.196, 218.25.41.136, 218.30.23.161-162, 218.30.23.100, 218.75.110.194 are all China. 216.154.239.240 - SBC in Irvine 66.150.165.7 - Logical US-AWS NAP through Internap 64.170.177.10 - SBC Interactive through PacBell 63.240.26.10 - CERFnet 63.210.252.135 - Level 3 I'm not sure about my additional IP's as they don't have the same volume as the initially reported three (218.75.110.194, 61.135.158.28, and 61.135.158.29). I'll take a look at the payload shortly. If it turns out that all mystery come from China, what do you make out of that? Later, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Mark (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros grutz (Aug 03)