Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: constant flow of root queries

from [Bojan Zdrnja] Network Security [Permanent Link]
Subject: Re: constant flow of root queries
Date: Thu, 19 Jan 2006 19:15:00 +1300 
On 1/19/06, Brian Collins <listbc@newnanutilities.org> wrote:

Good day folks.  This morning an admin asked us to check on a large amount
of traffic targeting several DNS servers in our network (both our own DNS
servers and customer co-located DNS servers).  In looking at the traffic I
see that the source is making several queries a second for DNS root.  I have
included a small sample from tcpdump below.  Not sure what the motive is
here.  The TTLs are all 235.  The random source ports makes me think
possibly spoofed traffic.  I can put packet dumps up on a website in libpcap
format if anyone is interested.  They are still going on as I type this.

Thanks for any insight you can lend.


08:44:31.681706 IP 207.210.68.202.18257 > 216.130.152.71.53:  7127+ [1au]
ANY ANY? . (28)
08:44:31.935719 IP 207.210.68.202.17460 > 216.130.152.71.53:  16133+ [1au]
ANY ANY? . (28)


It could be a DoS attack on 207.210.68.202 from an unkown attacker,
using your DNS servers. The query for the root servers generates a
nice response which can be used to flood the target (small query, big
response).

As you know what the TTL of incoming packets is (235), you can do a
traceroute to this IP address from your network and see what number of
hops you will get - that will help you to determine if the packet is
spoofed or not.

Cheers,

Bojan
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: constant flow of root queries, ilaiy
Next by Date:  Re: constant flow of root queries, Dude VanWinkle
Previous by Thread:  Re: constant flow of root queries, ilaiy
Next by Thread:  Re: constant flow of root queries, Dude VanWinkle
Indexes:  [Date] [Thread] [Top] [All Lists]