[Intrusions] strange set of ip fragments against dns server

[Carles Fragoso i Mariscal]

Hi team,

We are receiving a strange set of ip fragments against one of our dns servers (A.B.C.D) which seems sourced from the same C class (83.102.166.0/24, a Russian ISP) where ttl is 49, len is 45 and IPIDs seem to be pretty random. 

That network seems to be between 11 and 14 hops away giving a possible initial TTL of 60-64.

Has someone seen anything similar? Any ideas?

...............................................................
00:22:15.078691 83.102.166.7     > A.B.C.D: (frag 1861:25 at 512)
00:22:20.986039 83.102.166.33    > A.B.C.D: (frag 38756:25 at 512)
00:22:29.909213 83.102.166.44    > A.B.C.D: (frag 1718:25 at 512)
00:22:33.038511 83.102.166.43    > A.B.C.D: (frag 57823:25 at 512)
00:22:48.414517 83.102.166.41    > A.B.C.D: (frag 64547:25 at 512)
00:23:08.288978 83.102.166.33    > A.B.C.D: (frag 22655:25 at 512)
00:23:13.400633 83.102.166.43    > A.B.C.D: (frag 47312:25 at 512)
00:23:14.412149 83.102.166.44    > A.B.C.D: (frag 162:25 at 512)
00:23:51.147341 83.102.166.54    > A.B.C.D: (frag 61959:25 at 512)
00:23:51.493758 83.102.166.58    > A.B.C.D: (frag 1958:25 at 512)
00:24:00.857637 83.102.166.76    > A.B.C.D: (frag 42278:25 at 512)
00:24:04.018650 83.102.166.59    > A.B.C.D: (frag 33613:25 at 512)
00:24:20.476301 83.102.166.24    > A.B.C.D: (frag 64081:25 at 512)
00:25:02.727780 83.102.166.46    > A.B.C.D: (frag 24596:25 at 512)
00:25:07.178172 83.102.166.49    > A.B.C.D: (frag 39212:25 at 512)
00:25:21.461390 83.102.166.131   > A.B.C.D: (frag 33871:25 at 512)
00:25:25.230504 83.102.166.217   > A.B.C.D: (frag 33265:25 at 512)
00:26:24.993722 83.102.166.26    > A.B.C.D: (frag 53763:25 at 512)
00:26:53.192919 83.102.166.23    > A.B.C.D: (frag 31197:25 at 512)
00:26:54.875637 83.102.166.45    > A.B.C.D: (frag 61715:25 at 512)
00:27:09.446301 83.102.166.59    > A.B.C.D: (frag 56906:25 at 512)
00:27:15.053166 83.102.166.22    > A.B.C.D: (frag 26055:25 at 512)
00:27:28.068247 83.102.166.47    > A.B.C.D: (frag 59043:25 at 512)
00:27:35.049413 83.102.166.54    > A.B.C.D: (frag 52384:25 at 512)
00:27:46.357032 83.102.166.53    > A.B.C.D: (frag 56693:25 at 512)
00:27:48.806295 83.102.166.52    > A.B.C.D: (frag 34849:25 at 512)
00:27:49.923808 83.102.166.33    > A.B.C.D: (frag 54862:25 at 512)
00:27:56.340161 83.102.166.21    > A.B.C.D: (frag 39111:25 at 512)
00:28:10.987790 83.102.166.15    > A.B.C.D: (frag 35496:25 at 512)
00:28:12.437082 83.102.166.55    > A.B.C.D: (frag 61556:25 at 512)
00:28:19.895857 83.102.166.46    > A.B.C.D: (frag 62827:25 at 512)
00:28:30.107670 83.102.166.22    > A.B.C.D: (frag 47444:25 at 512)
00:28:43.400149 83.102.166.49    > A.B.C.D: (frag 22142:25 at 512)
00:28:48.002011 83.102.166.46    > A.B.C.D: (frag 39714:25 at 512)
00:28:48.690701 83.102.166.33    > A.B.C.D: (frag 51581:25 at 512)
00:29:00.182057 83.102.166.15    > A.B.C.D: (frag 62629:25 at 512)
...............................................................

Thanks in advance!

--------------------------------------------------------------------------
Carlos Fragoso Mariscal - Network & Security Engineer / Incident Handler
Anella Cientifica RREN Incident Response Team (ERIAC) - AS13041  CFM1-RIPE
Communications and Operations Dept. - Supercomputing Center of Catalonia
mail:cfragoso at cesca.es phone:+34932056464 pgp:0x0E4EDE07 inocdba:13041*CFM
--------------------------------------------------------------------------