[Imc-tech] strange traffic

Zachary C. Miller zach at chambana.net
Fri Jun 11 04:46:36 CDT 2004 

I've started running the latest version of ntop on my server (it is
stable enough to run as a daemon unlike older versions) and I've just
been poking at the data and I found something weird. Does anyone know
why any host would be transfering megabytes of DNS data only?

2 hosts: 
12.47.120.130
12.47.120.132

These hosts transfered a few megabytes per hour in DNS requests from
my machine for several hours today. They have been the biggest overall
bandwidth eaters of the day. They are both part of this subnet:

AT&T WorldNet Services ATT (NET-12-0-0-0-1)
                                  12.0.0.0 - 12.255.255.255
CRESTLINE HOTELS AND RESORTS CRESTLIN25-120-128 (NET-12-47-120-128-1)
                                  12.47.120.128 - 12.47.120.191

I port scanned these two hosts and came up with this:

Interesting ports on  (12.47.120.132):
Port       State       Service
53/tcp     closed      domain
264/tcp    open        bgmp
500/tcp    closed      isakmp
6666/tcp   closed      irc-serv
6667/tcp   closed      irc
6668/tcp   closed      irc
7000/tcp   closed      afs3-fileserver

Interesting ports on cctrend.crestlinecapital.com (12.47.120.130):
(The 1547 ports scanned but not shown below are in state: filtered)
Port       State       Service
53/tcp     closed      domain
264/tcp    open        bgmp
500/tcp    closed      isakmp
6666/tcp   closed      irc-serv
6667/tcp   closed      irc
6668/tcp   closed      irc
7000/tcp   closed      afs3-fileserver

Traceroute shows this: 

traceroute to 12.47.120.132 (12.47.120.132), 30 hops max, 38 byte packets
 1  gw (64.5.70.193)  0.972 ms  0.869 ms  0.855 ms
 2  gw.soltec.net (64.5.64.1)  17.561 ms  21.823 ms  50.840 ms
 3  68-22-250-17.cust-rtr.ameritech.net (68.22.250.17)  22.736 ms  32.047 ms  19.844 ms
 4  bb2-g8-0.chmpil.ameritech.net (67.36.90.116)  17.467 ms  22.499 ms  20.653 ms
 5  bb2-p4-1.emhril.ameritech.net (151.164.190.233)  23.015 ms  20.035 ms  20.720 ms
 6  ex1-p6-0.eqchil.sbcglobal.net (151.164.240.146)  32.402 ms  38.723 ms  67.894 ms
 7  sl-st20-chi-0-0.sprintlink.net (144.223.241.57)  22.616 ms  20.014 ms  21.061 ms
 8  sprint-gw.cgcil.ip.att.net (192.205.32.149)  20.904 ms  23.107 ms  20.948 ms
 9  tbr2-p014001.cgcil.ip.att.net (12.123.6.70)  21.307 ms  22.860 ms  24.097 ms
10  tbr2-cl7.sl9mo.ip.att.net (12.122.10.46)  34.620 ms  63.064 ms  32.852 ms
11  tbr1-cl2.sl9mo.ip.att.net (12.122.9.141)  30.195 ms  30.839 ms  34.123 ms
12  tbr1-cl4.wswdc.ip.att.net (12.122.10.29)  47.818 ms  65.078 ms  63.053 ms
13  gbr6-p20.wswdc.ip.att.net (12.122.11.174)  74.946 ms  43.994 ms  45.021 ms
14  ar1-p3110.arlva.ip.att.net (12.123.194.37)  44.873 ms  43.997 ms  44.863 ms
15  12.124.232.26 (12.124.232.26)  53.992 ms 12.124.232.50 (12.124.232.50)  47.198 ms  47.398 ms
16  * * *

I have banned the entire 12.47.120.128/26 subnet for now.

-- 
Zachary C. Miller - @= - http://wolfgang.groogroo.com/
IMSA 1995 - UIUC 2000 - Just Another Leftist Muppet - Ya Basta!
 Social Justice, Community, Nonviolence, Decentralization, Feminism,
 Sustainability, Responsibility, Diversity, Democracy, Ecology

More information about the Imc-tech mailing list