[nsp-sec] Got traffic?
Nicholas Ianelli
ni at centergate.net
Fri Jul 17 10:24:55 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>> 156.154.100.3
>> 156.154.101.3
>> 156.154.102.3
>> 156.154.103.3
>
> Are you seeing legitimately-looking DNS requests? There are some
> delegations looping back to ns*.nic.uk, which could lead resolvers
> astray (e.g. arkselfstorage.co.uk, growthengine.co.uk). This could
> lead to issues if one of them is a popular domain. BIND caches the
> resolution failure quite agressively (because the zone isn't signed),
> but other resolvers might not do this.
Yes, the requests are MX resolution requests. Originally I thought they
were adding garbage alpha-numueric characters to the domains, but upon
further investigation it appears the names aren't even registered
(potentially leveraging a keyword list or limited sized dictionary - in
addition to appending some random chars).
The actual MX requests do not appear to be coming from other DNS
servers, but rather compromised hosts. There looks to be a mixture of
spoofed and non-spoofed sources.
Example requests:
15:58:41.070436 IP (tos 0x0, ttl 112, id 49496, offset 0, flags [none],
proto 17, length: 80) 87.17.147.XX.7263 > 156.154.102.3.domain: [udp sum
ok] 202+ MX? investingtechnologyinvesting.co.uk. (52)
15:58:41.070482 IP (tos 0x0, ttl 116, id 35169, offset 0, flags [none],
proto 17, length: 56) 190.253.165.XXX.20701 > 156.154.102.3.domain: [udp
sum ok] 50+ MX? hoohing.uk. (28)
15:58:41.070580 IP (tos 0x0, ttl 112, id 9364, offset 0, flags [none],
proto 17, length: 79) 151.59.247.XXX.49701 > 156.154.102.3.domain: [udp
sum ok] 58+ MX? commercecompaniesinvestingp.co.uk. (51)
15:58:41.070902 IP (tos 0x0, ttl 113, id 23711, offset 0, flags [none],
proto 17, length: 81) 187.10.47.XXX.59415 > 156.154.101.3.domain: [udp
sum ok] 85+ MX? businessfreeautomobilesclexpy.co.uk. (53)
15:58:41.070967 IP (tos 0x0, ttl 114, id 2733, offset 0, flags [none],
proto 17, length: 59) 79.55.97.XXX.22498 > 156.154.102.3.domain: [udp
sum ok] 238+ MX? drwtrading.uk. (31)
15:58:41.070980 IP (tos 0x0, ttl 111, id 14604, offset 0, flags [none],
proto 17, length: 75) 86.110.185.XXX.17945 > 156.154.101.3.domain: [udp
sum ok] 121+ MX? apfmzqytdtisywsdwmhkuon.co.uk. (47)
15:58:41.074802 IP (tos 0x0, ttl 114, id 43988, offset 0, flags [none],
proto 17, length: 75) 78.93.226.XXX.29154 > 156.154.101.3.domain: [udp
sum ok] 174+ MX? advertisingbusinessnv80.co.uk. (47)
15:58:41.075009 IP (tos 0x0, ttl 109, id 48204, offset 0, flags [none],
proto 17, length: 52) 93.55.207.XXX.33692 > 156.154.102.3.domain: [udp
sum ok] 130+ MX? spd.uk. (24)
15:58:41.075055 IP (tos 0x0, ttl 111, id 18697, offset 0, flags [none],
proto 17, length: 73) 151.61.253.XXX.14188 > 156.154.102.3.domain: [udp
sum ok] 194+ MX? bigfreecooperativesyi.co.uk. (45)
15:58:41.075142 IP (tos 0x0, ttl 113, id 31608, offset 0, flags [none],
proto 17, length: 74) 190.42.149.XXX.15027 > 156.154.102.3.domain: [udp
sum ok] 20+ MX? marketingresources3f0f.co.uk. (46)
Nick
- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkpgibcACgkQi10dJIBjZIBn/ACeNHDTIZNKEaB/Xc6lQCUi+mC4
QmYAoJV4ijkc0s4VKhjNUHmfIgvbhhct
=akKq
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list