Not worried, But very interested.....

During my daily scan of my log files I noticed Snort dumped a four minute period of alerts for UDP transmissions to port zero from a large number of difference source addresses. There were only two destination addresses, my nameservers. Dest port was always zero, (obviously), and the source port was always 53, (DNS). The implication would be, (had the source ports been anything above 1024), that these were responses to valid DNS requests by my nameservers - ignoring the fact that the source address would send mulitiple packets to both nameservers in a couple of seconds and then quit.

Being the good "log rat" I am I open the firewall log and run a search against a couple of the source IP's. They both began pinging my two nameservers just before 10:00am, then took part in the unusual activity, then continued to ping me at irregular intervals for the remainder of the afternoon both stopping within one second of one another at 17:40. The other source addresses mimic this behaviour. They all started in the same 2 minute period, joined in the unusual activity, pinged me irregularly for the afternoon and stopped within the same minute. At no time during the day had my nameservers made any request of these addresses.

Whois indicates they were all from various ISP's scattered across the USA, tracerts of a couple seem to confirm the locations.

Being a good "log rat" I looked in another logging system that shows me TCP SYN's. There has not been a connection initiated from any address over TCP in the past 20 days.....

Things I think I know:-

1. It's not a coincidence.... ;)
2. It was deliberate and coordinated.
3. It isn't an attempt at a DoS..... 30 packets from ten'ish machines in 4 minutes.......
4. Since the ping's were dropped by the firewall it probably wasn't me being a "mirror" in a reflected DDoS because the port zero traffic would most likely go unreplied to also.
5. Without digging deeper into logs, (which I may do), it seems that my systems have had no contact with these machines before.
6. I am unaware of any new exploit against DNS servers.

Has anyone seen traffic like this before and if you have do you know what it is? Does anyone have any fun theories about what this traffic may be?

The logs are below....

[Edit]

Hmmm.... All the TTL's are 1 or 2..... Yet they seem to come from several places in the USA.... Spoofed..... The plot thickens....

[/Edit]

Maybe this is far fetched but anyway...

They were trying to do a fingerprint of your system like you can read in this article I found a while ago :confused:

Or they just where trying to find a system with the port 53 open to intercept DNS-requests or something.

anyway I'm not an expert ...yet :D ;)

Cemetric: I have read that same article before, nice little article......

Interestingly, the addresses seem to fall into similar address blocks and when tracert'ed they all fall 15 or 16 hops away thus it is quite possible for the TTL's to be 1 or 2. Is there an OS or device that sets the TTL as low as 16? I can't seem to find anything on Google.

this tid bit of my firewall log may interst u
not all traffic is logged-only that which doesnt match the rules
i dont understand this as well you -but i do tend to think its traffic i havent asked for
im only surfing the bloody net -checking emails and stuff
and this continual pecking at my firewall comes in waves ,similar to how u describe
it does seem co-ordinated(just dropped anICMPping from them as i type)
i live in Australia and it mostly comes from servers within oz ,however sometimes
.TW ,
.RU ,
even (you'll like this)devnull.someone.some*****ingdomain.com
( * added so i didnt swear ok? :p )

1st time i saw that i just disconnected-had it a few times since-just dropped the packets
most of them come from commindinco server's -who run or own quite a few large servers in this country(just dropped another 2 pings from .TW)
it happens all the time,its driving me mad and i want to get to the bottom of it
it was the motivation to join AO
anyway have a look if u got the time

M3scal:

Looking at your destination ports of that activity you are seeing pretty standard worm/scan activity on the Internet. There isn't much you can do about that except tell the firewall to stop bothering you about them... ;)

There are a couple of "different" looking entries but they could have been the result of something you were doing or just normal "oddities". I wouldn't worry too much about the majority of those entries.

Tiger Shark ..no I don't know any OS that sets it that low ... I'll try to find it maybe I'll get lucky ;)

But maybe it started at a router ...

They typically start at 255 don't they ?

so 16 hops away 255 minus 16 is 239 ..so if I ping the IP-address I get TTL 238 ...
hmmm
:confused:

Tiger Shark
ok thanx
im not convinced this machine hasnt been compromised tho
i cant browse as fast as used to(ive cleaned out spyware with only margin increase)and occasionally something seems to be sending data to this server identified as customer.reverse.entry.220.***.***.***
the end address changes and ive had to make 3 different rules so far
the firewall doesnt tell me of this event(i only catch it thru watching opened connections)
im not shopping,im not a customer :D
maybe its nothing..........
but at least now i know a good chunk of it is worm/scan stuff
ta

I don't no if this helps any but here goes:

4.7 TTL patch
This patch by Harald Welte <[email protected]> adds a new target that enables the user to set the TTL value of an IP packet or to increment/decrement it by a given value.

For example, if you want to set the TTL of all outgoing connections to 126, you can do as follows :

# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126

# iptables -t mangle --list
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TTL all -- anywhere anywhere TTL set to 126

Supported options for the TTL target are :

--ttl-set value

-> Set TTL to <value>

--ttl-dec value

-> Decrement TTL by <value>

--ttl-inc value

-> Increment TTL by <value>

Found here:http://linux.nbs.at/netfilter-hackin...s-HOWTO-4.html

I had a similiar probelm once with my ISP's DNS servers tiger shark.

I kept getting firewall alerts stating that the source was my ISP's DNS servers. I did a little digging into it as well, and it was all pretty much exactly how it was for you. I even did a port scan on the DNS servers and found about 23 different ports open. I called up the ISP asking them about it, and asked the person about these alerts I'm getting coming from their DNS servers, they put me on hold, came back and told me that they don't do port forwarding :eek:
They had no clue so I hung up and forogot about it.

Anyways, as long as your firewalls blocking, not a whole lot to worry about really. Maybe you can call someone their and see what they say about it.

Thanks for the input guys.....

I have found a few instances of similar traffic and people asking about it..... The problem is that no-one got an answer :( . The first instance i have found was back in early 2003 so it's hardly new..... I just can't find out anything concrete.

Cheyenne: Yeah, like the title said I'm not that bothered, just intrugued. Rattling my brain trying to decide what the purpose could have been.....