[plug] dns connection attempts

Bill Kenworthy billk at iinet.net.au
Wed Dec 13 20:42:11 WST 2000


Here an interesting one:

occaisionly I am getting a "spray" of attempts to connect to port 53
(dns)  ipchains blocks them, but what is causing it?  I presume bad
guy's, but the pattern is a bit odd.  nmap shows a linux box at each of
the IP's I have tried, nslookup shows nothing.  nmap shows all machines
in a "spray" have the same signature, so I surmise that its the same
machine with multiple IP's (spoofed?)  Other day's, its been a different
(linux) machine by the signature, but all IP's still give an identical
signature!  In one case only, all packets had a different source IP, but
the same outgoing port!

Sample:
Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
216.6.49.143:9354 203.59.181.iinet:53 L=73 S=0x00 I=30690 F=0x0000 T=45
(#80)

Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
64.78.174.34:2431 203.59.181.iinet:53 L=73 S=0x00 I=28725 F=0x0000 T=46
(#80)

Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
209.92.236.2:2012 203.59.181.iinet:53 L=73 S=0x00 I=12109 F=0x0000 T=48
(#80)

Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
64.78.156.2:2661 203.59.181.iinet:53 L=73 S=0x00 I=32543 F=0x0000 T=48
(#80)

Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
64.70.61.2:2701 203.59.181.iinet:53 L=73 S=0x00 I=12155 F=0x0000 T=48
(#80)

Dec 13 20:01:52 Ralph kernel: Packet log: input DENY ppp0 PROTO=17
64.41.192.103:42540 203.59.181.iinet:53 L=73 S=0x00 I=37650 F=0x0000
T=47 (#80) 

Anyone else had this?  Is there a site that gives details of signatures
of diffent types of attack? - I havent stumbled across any so far,
interested in what tools are used and how they are trying to get in.

BillK



More information about the plug mailing list