[Imc-tech] strange traffic
David Young
dyoung at pobox.com
Fri Jun 11 21:38:30 CDT 2004
On Fri, Jun 11, 2004 at 04:46:36AM -0500, Zachary C. Miller wrote:
> I've started running the latest version of ntop on my server (it is
> stable enough to run as a daemon unlike older versions) and I've just
> been poking at the data and I found something weird. Does anyone know
> why any host would be transfering megabytes of DNS data only?
Two things come to mind:
1) There might be a buffer overflow bug in named(8); the remote host
is trying to exploit it.
2) DNS is a "covert channel" for, say, an IP tunnel. The tunnel
endpoint might be at your host, but maybe not: my understanding of DNS
is pretty shallow, but there is this notion of "recursive lookup";
maybe recursion could terminate the tunnel at some other host?
Semi-anonymously? That would be clever.
Dave
>
> 2 hosts:
> 12.47.120.130
> 12.47.120.132
>
> These hosts transfered a few megabytes per hour in DNS requests from
> my machine for several hours today. They have been the biggest overall
> bandwidth eaters of the day. They are both part of this subnet:
>
> AT&T WorldNet Services ATT (NET-12-0-0-0-1)
> 12.0.0.0 - 12.255.255.255
> CRESTLINE HOTELS AND RESORTS CRESTLIN25-120-128 (NET-12-47-120-128-1)
> 12.47.120.128 - 12.47.120.191
>
> I port scanned these two hosts and came up with this:
>
> Interesting ports on (12.47.120.132):
> Port State Service
> 53/tcp closed domain
> 264/tcp open bgmp
> 500/tcp closed isakmp
> 6666/tcp closed irc-serv
> 6667/tcp closed irc
> 6668/tcp closed irc
> 7000/tcp closed afs3-fileserver
>
> Interesting ports on cctrend.crestlinecapital.com (12.47.120.130):
> (The 1547 ports scanned but not shown below are in state: filtered)
> Port State Service
> 53/tcp closed domain
> 264/tcp open bgmp
> 500/tcp closed isakmp
> 6666/tcp closed irc-serv
> 6667/tcp closed irc
> 6668/tcp closed irc
> 7000/tcp closed afs3-fileserver
>
> Traceroute shows this:
>
> traceroute to 12.47.120.132 (12.47.120.132), 30 hops max, 38 byte packets
> 1 gw (64.5.70.193) 0.972 ms 0.869 ms 0.855 ms
> 2 gw.soltec.net (64.5.64.1) 17.561 ms 21.823 ms 50.840 ms
> 3 68-22-250-17.cust-rtr.ameritech.net (68.22.250.17) 22.736 ms 32.047 ms 19.844 ms
> 4 bb2-g8-0.chmpil.ameritech.net (67.36.90.116) 17.467 ms 22.499 ms 20.653 ms
> 5 bb2-p4-1.emhril.ameritech.net (151.164.190.233) 23.015 ms 20.035 ms 20.720 ms
> 6 ex1-p6-0.eqchil.sbcglobal.net (151.164.240.146) 32.402 ms 38.723 ms 67.894 ms
> 7 sl-st20-chi-0-0.sprintlink.net (144.223.241.57) 22.616 ms 20.014 ms 21.061 ms
> 8 sprint-gw.cgcil.ip.att.net (192.205.32.149) 20.904 ms 23.107 ms 20.948 ms
> 9 tbr2-p014001.cgcil.ip.att.net (12.123.6.70) 21.307 ms 22.860 ms 24.097 ms
> 10 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 34.620 ms 63.064 ms 32.852 ms
> 11 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 30.195 ms 30.839 ms 34.123 ms
> 12 tbr1-cl4.wswdc.ip.att.net (12.122.10.29) 47.818 ms 65.078 ms 63.053 ms
> 13 gbr6-p20.wswdc.ip.att.net (12.122.11.174) 74.946 ms 43.994 ms 45.021 ms
> 14 ar1-p3110.arlva.ip.att.net (12.123.194.37) 44.873 ms 43.997 ms 44.863 ms
> 15 12.124.232.26 (12.124.232.26) 53.992 ms 12.124.232.50 (12.124.232.50) 47.198 ms 47.398 ms
> 16 * * *
>
> I have banned the entire 12.47.120.128/26 subnet for now.
>
> --
> Zachary C. Miller - @= - http://wolfgang.groogroo.com/
> IMSA 1995 - UIUC 2000 - Just Another Leftist Muppet - Ya Basta!
> Social Justice, Community, Nonviolence, Decentralization, Feminism,
> Sustainability, Responsibility, Diversity, Democracy, Ecology
> _______________________________________________
> Imc-tech mailing list
> Imc-tech at urbana.indymedia.org
> http://lists.cu.groogroo.com/cgi-bin/listinfo/imc-tech
--
David Young OJC Technologies
dyoung at ojctech.com Urbana, IL * (217) 278-3933
More information about the Imc-tech
mailing list