[nsp-sec] Spoofed DNS traffic from internal address space

White, Gerard Gerard.White at bellaliant.ca
Wed Apr 27 04:50:41 EDT 2011 

Hi Jason.

We provide commodity transit for one University that was subject to a similar issue...

In their case, spoofed DNS traffic was being aimed at their DNS infrastructure, but the TTL
was getting carefully trimmed so that various routers in our IP Core (1,2,3 hops away) would
bombard them with ICMP Type 11 Code 0 :(

We eventually back-traced the offending traffic flows as coming via Level3.

Mr. Janish and team were kind enough to block said traffic - not sure if he completed a
back-trace exercise to discover its ASN origin.

GW
855 - Bell Aliant
 

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Jason Chambers
Sent: April-27-11 6:06 AM
To: nsp-security NSP
Subject: [nsp-sec] Spoofed DNS traffic from internal address space

----------- nsp-security Confidential --------

Hello all,

I've noticed some odd DNS traffic entering our border using internal
address space.  This has been going on at least since 2011/04/14 which
is the limit of my flow history.  I think the queries are cyclical; I
picked a few and found the number per hour to be fairly consistent
(45-72 per domain) going back to 2011/04/17 GMT.  That seems to be the
date when the pattern changed.  89% of the domains resolve to IPs in the
APNIC region.  Of the 2785 unique queries found in a 5-10 minute window
most turn out to be CNAME to CNAME records.  I'm tired so I've not yet
finished looking for common SOA/NS.

Any ideas ?


The queries have been spoofed from the following UCLA netblocks:

sIP_First24|        Records|               Bytes|          Packets|
128. 97.  9|        8404598|           526443265|          8406605|
128. 97. 10|        8941430|           560067655|          8943584|
149.142.193|         697794|            43720058|           697921|
149.142.194|        2887812|           180901166|          2888236|
164. 67.127|       33720455|          2112679424|         33728029|
164. 67.128|       36106028|          2262261122|         36114365|
164. 67.162|         426452|            26708489|           426515|
164. 67.163|        1142253|            71541012|          1142441|


As of 2011/04/22:06 GMT only the following are still actively used:

sIP_First24|        Records|               Bytes|          Packets|
128. 97.  9|        4443181|           278276041|          4444535|
128. 97. 10|        4727490|           296085549|          4728925|
164. 67.127|       13637575|           854208638|         13641918|
164. 67.128|       14606082|           914936105|         14610793|


Our internal caching DNS servers are 164.67.128.{1,2,3}.  Over the
entire time frame a few other campus DNS servers were involved.

            dIP|dPort|sIP-Distin|
   164.67.128.1|   53|       199|
    128.97.10.2|   53|       199|
   164.67.128.2|   53|       199|
   164.67.128.3|   53|       199|



Here's what the rate looks like over the past 13 days:

               Date|        Records|               Bytes|          Packets|
2011/04/14T00:00:00|     4865182.00|        305045228.00|       4865885.00|
2011/04/15T00:00:00|     4699312.00|        294597163.00|       4700075.00|
2011/04/16T00:00:00|     6676642.00|        418483309.00|       6677812.00|
2011/04/17T00:00:00|     6262941.00|        392516581.00|       6264098.00|
2011/04/18T00:00:00|     6403897.00|        401313655.00|       6405025.00|
2011/04/19T00:00:00|     7653999.00|        479493909.00|       7655234.00|
2011/04/20T00:00:00|     8021117.00|        502390937.00|       8022391.00|
2011/04/21T00:00:00|     8003932.00|        501350459.00|       8005177.00|
2011/04/22T00:00:00|     7422632.96|        464838106.04|       7424548.91|
2011/04/23T00:00:00|     7710461.04|        482934221.96|       7713114.09|
2011/04/24T00:00:00|     7968125.00|        499063253.00|       7970872.00|
2011/04/25T00:00:00|     7616064.00|        477125077.00|       7618560.00|
2011/04/26T00:00:00|     7471303.00|        468045706.00|       7473664.00|
2011/04/27T00:00:00|     1552574.00|         97246694.00|       1553062.00|



Regards,

-- 

Jason Chambers
UCLA
jchambers at ucla.edu
310-206-5603



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 183 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110427/1fb6181c/attachment-0001.sig>

More information about the nsp-security mailing list