lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1091544539.525.69.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: FW: Question for DNS pros

Paul,

I'm seeing the same thing now. It caught my eye because of another
oddity that occurs from those IP's and I wanted to check with you if you
see that as well. These addresses (about a dozen IP's from China in my
case) also send a TCP SYN packet with 24 '0x00' bytes payload to port
53. Seq # and Ack # are set, windows size is 2048 (although I haven't
confirmed that with all past scans).

Below is a tcpdump. See if that looks familiar :)

So it doesn't appear to be targeted just at UT Dallas. I start to wonder
if other sites get hit too, but if that flies under the radar. 

Also, there is no name server at that address, never has been. The IP
being targeted is the global NAT IP of a firewall. All outbound
connections come from that IP. No other IP (in a two class C range) is
being hit.

This has started on a regular basis last week and seems steady:
 2004-05-15 |    10
 2004-05-21 |     9
 2004-06-15 |     6
 2004-07-07 |     6
 2004-07-25 |    94
 2004-07-26 |    22
 2004-07-28 |   211
 2004-07-29 |   281
 2004-07-30 |   211
 2004-07-31 |   312
 2004-08-01 |   307
 2004-08-02 |   274
 2004-08-03 |   111 (so far)

There are about 18 sources involved, but the majority of the packets are
coming from 218.75.110.194 (601), 61.135.158.28 (589), and 61.135.158.29
(451), all three from China. All unsolicited incoming packets. Nothing
is part of any kind of communication (i.e. response to web browsing,
triggering web bugs, p2p, IM, etc).

Paul, were you able to find anything out about this? Do those IP's
correlate with your captured IP's? Do you see the TCP SYN too? Is anyone
else seeing this pattern?

Regards,
Frank


tcpdump:

21:16:15.434753 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok]  51621
NS? . (17) (ttl 44, id 51622, len 45)
21:16:16.194129 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok]  51622
NS? . (17) (ttl 44, id 51623, len 45)
21:16:16.932505 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok]  51623
NS? . (17) (ttl 44, id 51624, len 45)

21:16:18.431546 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok]  9949
PTR? x.x.x.x.in-addr.arpa. (45) (ttl 44, id 9950, len 73)
21:16:19.186279 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok]  9950
PTR? x.x.x.x.in-addr.arpa. (45) (ttl 44, id 9951, len 73)
21:16:19.939409 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok]  9951
PTR? x.x.x.x.in-addr.arpa. (45) (ttl 44, id 9952, len 73)

21:16:21.433511 218.75.110.194.53 > x.x.x.x.33434: [udp sum ok]  10344
FormErr [0q] 0/0/0 (36) (ttl 44, id 10344, len 64)
21:16:22.196164 218.75.110.194.53 > x.x.x.x.33434: [udp sum ok]  10345
FormErr [0q] 0/0/0 (36) (ttl 44, id 10345, len 64)
21:16:22.995559 218.75.110.194.53 > x.x.x.x.33434: [udp sum ok]  10346
FormErr [0q] 0/0/0 (36) (ttl 44, id 10346, len 64)

21:16:24.448425 218.75.110.194.1758 > x.x.x.x.53: S [tcp sum ok]
3939495989:3939496013(24) win 2048 0 [0q] (22) (ttl 44, id 1, len 64)
21:16:25.208289 218.75.110.194.1794 > x.x.x.x.53: S [tcp sum ok]
3774103031:3774103055(24) win 2048 0 [0q] (22) (ttl 44, id 2, len 64)
21:16:26.005612 218.75.110.194.1821 > x.x.x.x.53: S [tcp sum ok]
992083552:992083576(24) win 2048 0 [0q] (22) (ttl 44, id 3, len 64)

21:16:27.441872 218.75.110.194 > x.x.x.x: icmp: echo request (ttl 44, id
32512, len 64)
21:16:28.191483 218.75.110.194 > x.x.x.x: icmp: echo request (ttl 44, id
32747, len 64)
21:16:28.949630 218.75.110.194 > x.x.x.x: icmp: echo request (ttl 44, id
32997, len 64)
21:16:41.758970 218.75.110.194 > x.x.x.x: icmp: echo request (ttl 44, id
36248, len 64)
21:16:42.166118 218.75.110.194 > x.x.x.x: icmp: echo request (ttl 44, id
36448, len 64)
21:16:42.898505 218.75.110.194 > x.x.x.x: icmp: echo request (ttl 44, id
36627, len 64)




On Sun, 2004-07-25 at 13:57, Paul Schmehl wrote:
> 22:06:10.294071 x.x.x.x.2566 > targethost.utdallas.edu.domain:  29462 NS? . 
> (17)
> 22:06:11.043050 x.x.x.x.2566 > targethost.utdallas.edu.domain:  29463 NS? . 
> (17)
> 22:06:11.791218 x.x.x.x.2566 > targethost.utdallas.edu.domain:  29464 NS? . 
> (17)
> 22:06:13.298805 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30290 PTR? 
> 63.37.110.129.in-addr.arpa. (44)
> 22:06:14.052600 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30291 PTR? 
> 63.37.110.129.in-addr.arpa. (44)
> 22:06:14.799270 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30292 PTR? 
> 63.37.110.129.in-addr.arpa. (44)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040803/115e736e/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ