[nsp-sec] huge spikes in tcp 53. rackspace owns one of the ddos victims:(

Thu Mar 17 09:43:58 EDT 2011

Those resets look like responses to spoofed traffic to me.
Of course it could be misbehaving clients or simple syn scanning with no listener on the port (thus os doesn't know about the connections and resets the connection...)

(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at qwest.com
________________________________________
From: King, Link [Link.King at neustar.com]
Sent: Wednesday, March 16, 2011 4:53 PM
To: Smith, Donald; 'nsp-sec NSP'
Subject: Re: [nsp-sec] huge spikes in tcp 53. rackspace owns one of the ddos victims:(

>
>
>
>I see a HUGE uptick on tcp 53 on feb 26th
>http://isc.sans.edu/port.html?port=53
>date    records targets sources tcpratio
>2011-02-26      171950  65816   6908    51
>
>Up till that point it was nearly all udp 53 being reported.
>
>
>So I did a 8 week and 52 week graph from our netflow system (arbor) on
>tcp 53.
>
>On the 8 week graph you will see a HUGE increase (from ~0Mbs to 800Mbs of
>tcp 53) on January 23rd or so and another on March 10th or so.
>
>So something out there is doing very bursty tcp 53 connections/scans.
>#    IP
>1263 61.161.141.4
> 841 76.74.170.250
> 797 76.74.170.249
> 797 76.74.170.243
> 791 76.74.170.245
> 706 76.74.170.244
> 705 76.74.170.248
> 703 76.74.170.246
>

I took a quick look at our recursive traffic and noticed this from the
Adobe IP's above (one example):

22:39:22.894763 IP 76.74.170.243.4669 > 204.74.103.146.53: S
211873738:211873738(0) win 2048
22:39:22.894829 IP 204.74.103.146.53 > 76.74.170.243.4669: S
3914357935:3914357935(0) ack 211873739 win 5840 <mss 1460>
22:39:22.962965 IP 76.74.170.243.4669 > 204.74.103.146.53: R
211873739:211873739(0) win 0
22:39:22.966669 IP 76.74.170.243.4737 > 204.74.103.146.53: S
4051229293:4051229293(0) win 2048
22:39:22.966736 IP 204.74.103.146.53 > 76.74.170.243.4737: S
3900807425:3900807425(0) ack 4051229294 win 5840 <mss 1460>
22:39:23.035276 IP 76.74.170.243.4737 > 204.74.103.146.53: R
4051229294:4051229294(0) win 0
22:39:23.035856 IP 76.74.170.243.4794 > 204.74.103.146.53: S
2449220345:2449220345(0) win 2048
22:39:23.035954 IP 204.74.103.146.53 > 76.74.170.243.4794: S
3908594633:3908594633(0) ack 2449220346 win 5840 <mss 1460>
22:39:23.104104 IP 76.74.170.243.4794 > 204.74.103.146.53: R
2449220346:2449220346(0) win 0

Small bursts like that.  Seems to RST immediately and then initiate a new
connection.  It does repeat but thus far not in any sort of predictable
fashion (from 1 to 7 minutes).  Simple port monitor/scan of some sort?

--
Link King
link.king at neustar.com

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.