Not worried, But very interested.....
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Not worried, But very interested.....

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Not worried, But very interested.....

    During my daily scan of my log files I noticed Snort dumped a four minute period of alerts for UDP transmissions to port zero from a large number of difference source addresses. There were only two destination addresses, my nameservers. Dest port was always zero, (obviously), and the source port was always 53, (DNS). The implication would be, (had the source ports been anything above 1024), that these were responses to valid DNS requests by my nameservers - ignoring the fact that the source address would send mulitiple packets to both nameservers in a couple of seconds and then quit.

    Being the good "log rat" I am I open the firewall log and run a search against a couple of the source IP's. They both began pinging my two nameservers just before 10:00am, then took part in the unusual activity, then continued to ping me at irregular intervals for the remainder of the afternoon both stopping within one second of one another at 17:40. The other source addresses mimic this behaviour. They all started in the same 2 minute period, joined in the unusual activity, pinged me irregularly for the afternoon and stopped within the same minute. At no time during the day had my nameservers made any request of these addresses.

    Whois indicates they were all from various ISP's scattered across the USA, tracerts of a couple seem to confirm the locations.

    Being a good "log rat" I looked in another logging system that shows me TCP SYN's. There has not been a connection initiated from any address over TCP in the past 20 days.....

    Things I think I know:-

    1. It's not a coincidence....
    2. It was deliberate and coordinated.
    3. It isn't an attempt at a DoS..... 30 packets from ten'ish machines in 4 minutes.......
    4. Since the ping's were dropped by the firewall it probably wasn't me being a "mirror" in a reflected DDoS because the port zero traffic would most likely go unreplied to also.
    5. Without digging deeper into logs, (which I may do), it seems that my systems have had no contact with these machines before.
    6. I am unaware of any new exploit against DNS servers.

    Has anyone seen traffic like this before and if you have do you know what it is? Does anyone have any fun theories about what this traffic may be?

    The logs are below....

    [Edit]

    Hmmm.... All the TTL's are 1 or 2..... Yet they seem to come from several places in the USA.... Spoofed..... The plot thickens....

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491

    Far fetched

    Maybe this is far fetched but anyway...

    They were trying to do a fingerprint of your system like you can read in this article I found a while ago

    Or they just where trying to find a system with the port 53 open to intercept DNS-requests or something.

    anyway I'm not an expert ...yet
    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Cemetric: I have read that same article before, nice little article......

    Interestingly, the addresses seem to fall into similar address blocks and when tracert'ed they all fall 15 or 16 hops away thus it is quite possible for the TTL's to be 1 or 2. Is there an OS or device that sets the TTL as low as 16? I can't seem to find anything on Google.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Junior Member
    Join Date
    May 2004
    Posts
    14
    this tid bit of my firewall log may interst u
    not all traffic is logged-only that which doesnt match the rules
    i dont understand this as well you -but i do tend to think its traffic i havent asked for
    im only surfing the bloody net -checking emails and stuff
    and this continual pecking at my firewall comes in waves ,similar to how u describe
    it does seem co-ordinated(just dropped anICMPping from them as i type)
    i live in Australia and it mostly comes from servers within oz ,however sometimes
    .TW ,
    .RU ,
    even (you'll like this)devnull.someone.some*****ingdomain.com
    ( * added so i didnt swear ok? )

    1st time i saw that i just disconnected-had it a few times since-just dropped the packets
    most of them come from commindinco server's -who run or own quite a few large servers in this country(just dropped another 2 pings from .TW)
    it happens all the time,its driving me mad and i want to get to the bottom of it
    it was the motivation to join AO
    anyway have a look if u got the time

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    M3scal:

    Looking at your destination ports of that activity you are seeing pretty standard worm/scan activity on the Internet. There isn't much you can do about that except tell the firewall to stop bothering you about them...

    There are a couple of "different" looking entries but they could have been the result of something you were doing or just normal "oddities". I wouldn't worry too much about the majority of those entries.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491

    TTL16

    Tiger Shark ..no I don't know any OS that sets it that low ... I'll try to find it maybe I'll get lucky

    But maybe it started at a router ...

    They typically start at 255 don't they ?

    so 16 hops away 255 minus 16 is 239 ..so if I ping the IP-address I get TTL 238 ...
    hmmm
    Back when I was a boy, we carved our own IC's out of wood.

  7. #7
    Junior Member
    Join Date
    May 2004
    Posts
    14
    Tiger Shark
    ok thanx
    im not convinced this machine hasnt been compromised tho
    i cant browse as fast as used to(ive cleaned out spyware with only margin increase)and occasionally something seems to be sending data to this server identified as customer.reverse.entry.220.***.***.***
    the end address changes and ive had to make 3 different rules so far
    the firewall doesnt tell me of this event(i only catch it thru watching opened connections)
    im not shopping,im not a customer
    maybe its nothing..........
    but at least now i know a good chunk of it is worm/scan stuff
    ta

  8. #8
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I don't no if this helps any but here goes:

    4.7 TTL patch
    This patch by Harald Welte <laforge@gnumonks.org> adds a new target that enables the user to set the TTL value of an IP packet or to increment/decrement it by a given value.

    For example, if you want to set the TTL of all outgoing connections to 126, you can do as follows :

    # iptables -t mangle -A OUTPUT -j TTL --ttl-set 126

    # iptables -t mangle --list
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    TTL all -- anywhere anywhere TTL set to 126

    Supported options for the TTL target are :

    --ttl-set value

    -> Set TTL to <value>

    --ttl-dec value

    -> Decrement TTL by <value>

    --ttl-inc value

    -> Increment TTL by <value>

    Found here:http://linux.nbs.at/netfilter-hackin...s-HOWTO-4.html
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  9. #9
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I had a similiar probelm once with my ISP's DNS servers tiger shark.

    I kept getting firewall alerts stating that the source was my ISP's DNS servers. I did a little digging into it as well, and it was all pretty much exactly how it was for you. I even did a port scan on the DNS servers and found about 23 different ports open. I called up the ISP asking them about it, and asked the person about these alerts I'm getting coming from their DNS servers, they put me on hold, came back and told me that they don't do port forwarding
    They had no clue so I hung up and forogot about it.

    Anyways, as long as your firewalls blocking, not a whole lot to worry about really. Maybe you can call someone their and see what they say about it.
    =

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Thanks for the input guys.....

    I have found a few instances of similar traffic and people asking about it..... The problem is that no-one got an answer . The first instance i have found was back in early 2003 so it's hardly new..... I just can't find out anything concrete.

    Cheyenne: Yeah, like the title said I'm not that bothered, just intrugued. Rattling my brain trying to decide what the purpose could have been.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •