[nsp-sec] Spoofed DNS traffic from internal address space

Jason Chambers jchambers at ucla.edu
Wed Apr 27 04:36:05 EDT 2011 

Hello all,

I've noticed some odd DNS traffic entering our border using internal
address space.  This has been going on at least since 2011/04/14 which
is the limit of my flow history.  I think the queries are cyclical; I
picked a few and found the number per hour to be fairly consistent
(45-72 per domain) going back to 2011/04/17 GMT.  That seems to be the
date when the pattern changed.  89% of the domains resolve to IPs in the
APNIC region.  Of the 2785 unique queries found in a 5-10 minute window
most turn out to be CNAME to CNAME records.  I'm tired so I've not yet
finished looking for common SOA/NS.

Any ideas ?


The queries have been spoofed from the following UCLA netblocks:

sIP_First24|        Records|               Bytes|          Packets|
128. 97.  9|        8404598|           526443265|          8406605|
128. 97. 10|        8941430|           560067655|          8943584|
149.142.193|         697794|            43720058|           697921|
149.142.194|        2887812|           180901166|          2888236|
164. 67.127|       33720455|          2112679424|         33728029|
164. 67.128|       36106028|          2262261122|         36114365|
164. 67.162|         426452|            26708489|           426515|
164. 67.163|        1142253|            71541012|          1142441|


As of 2011/04/22:06 GMT only the following are still actively used:

sIP_First24|        Records|               Bytes|          Packets|
128. 97.  9|        4443181|           278276041|          4444535|
128. 97. 10|        4727490|           296085549|          4728925|
164. 67.127|       13637575|           854208638|         13641918|
164. 67.128|       14606082|           914936105|         14610793|


Our internal caching DNS servers are 164.67.128.{1,2,3}.  Over the
entire time frame a few other campus DNS servers were involved.

            dIP|dPort|sIP-Distin|
   164.67.128.1|   53|       199|
    128.97.10.2|   53|       199|
   164.67.128.2|   53|       199|
   164.67.128.3|   53|       199|



Here's what the rate looks like over the past 13 days:

               Date|        Records|               Bytes|          Packets|
2011/04/14T00:00:00|     4865182.00|        305045228.00|       4865885.00|
2011/04/15T00:00:00|     4699312.00|        294597163.00|       4700075.00|
2011/04/16T00:00:00|     6676642.00|        418483309.00|       6677812.00|
2011/04/17T00:00:00|     6262941.00|        392516581.00|       6264098.00|
2011/04/18T00:00:00|     6403897.00|        401313655.00|       6405025.00|
2011/04/19T00:00:00|     7653999.00|        479493909.00|       7655234.00|
2011/04/20T00:00:00|     8021117.00|        502390937.00|       8022391.00|
2011/04/21T00:00:00|     8003932.00|        501350459.00|       8005177.00|
2011/04/22T00:00:00|     7422632.96|        464838106.04|       7424548.91|
2011/04/23T00:00:00|     7710461.04|        482934221.96|       7713114.09|
2011/04/24T00:00:00|     7968125.00|        499063253.00|       7970872.00|
2011/04/25T00:00:00|     7616064.00|        477125077.00|       7618560.00|
2011/04/26T00:00:00|     7471303.00|        468045706.00|       7473664.00|
2011/04/27T00:00:00|     1552574.00|         97246694.00|       1553062.00|



Regards,

-- 

Jason Chambers
UCLA
jchambers at ucla.edu
310-206-5603

More information about the nsp-security mailing list