[plug] dns connection attempts
Bill Kenworthy
billk at iinet.net.au
Wed Dec 13 20:42:11 WST 2000
Here an interesting one:
occaisionly I am getting a "spray" of attempts to connect to port 53
(dns) ipchains blocks them, but what is causing it? I presume bad
guy's, but the pattern is a bit odd. nmap shows a linux box at each of
the IP's I have tried, nslookup shows nothing. nmap shows all machines
in a "spray" have the same signature, so I surmise that its the same
machine with multiple IP's (spoofed?) Other day's, its been a different
(linux) machine by the signature, but all IP's still give an identical
signature! In one case only, all packets had a different source IP, but
the same outgoing port!
Sample:
Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
216.6.49.143:9354 203.59.181.iinet:53 L=73 S=0x00 I=30690 F=0x0000 T=45
(#80)
Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
64.78.174.34:2431 203.59.181.iinet:53 L=73 S=0x00 I=28725 F=0x0000 T=46
(#80)
Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
209.92.236.2:2012 203.59.181.iinet:53 L=73 S=0x00 I=12109 F=0x0000 T=48
(#80)
Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
64.78.156.2:2661 203.59.181.iinet:53 L=73 S=0x00 I=32543 F=0x0000 T=48
(#80)
Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
64.70.61.2:2701 203.59.181.iinet:53 L=73 S=0x00 I=12155 F=0x0000 T=48
(#80)
Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
64.41.192.103:42540 203.59.181.iinet:53 L=73 S=0x00 I=37650 F=0x0000
T=47 (#80)
Anyone else had this? Is there a site that gives details of signatures
of diffent types of attack? - I havent stumbled across any so far,
interested in what tools are used and how they are trying to get in.
BillK
More information about the plug
mailing list