[Intrusions] strange set of ip fragments against dns server

Jack McCarthy intrusion.list at jackmccarthy.com
Thu Nov 11 21:57:04 GMT 2004 

--- Carles Fragoso i Mariscal <cfragoso at cesca.es> wrote:
Tue, 9 Nov 2004 01:00:05 +0100

Hi team,

We are receiving a strange set of ip fragments against one of our dns servers (A.B.C.D) which seems sourced from the same C class (83.102.166.0/24, a Russian ISP) where ttl is 49, len is 45 and IPIDs seem to be pretty random. 

That network seems to be between 11 and 14 hops away giving a possible initial TTL of 60-64.

Has someone seen anything similar? Any ideas?

...............................................................
00:22:15.078691 83.102.166.7     > A.B.C.D: (frag 1861:25 at 512)
00:22:20.986039 83.102.166.33    > A.B.C.D: (frag 38756:25 at 512)
00:22:29.909213 83.102.166.44    > A.B.C.D: (frag 1718:25 at 512)
00:22:33.038511 83.102.166.43    > A.B.C.D: (frag 57823:25 at 512)
00:22:48.414517 83.102.166.41    > A.B.C.D: (frag 64547:25 at 512)
00:23:08.288978 83.102.166.33    > A.B.C.D: (frag 22655:25 at 512)
00:23:13.400633 83.102.166.43    > A.B.C.D: (frag 47312:25 at 512)
00:23:14.412149 83.102.166.44    > A.B.C.D: (frag 162:25 at 512)
00:23:51.147341 83.102.166.54    > A.B.C.D: (frag 61959:25 at 512)
00:23:51.493758 83.102.166.58    > A.B.C.D: (frag 1958:25 at 512)
00:24:00.857637 83.102.166.76    > A.B.C.D: (frag 42278:25 at 512)
00:24:04.018650 83.102.166.59    > A.B.C.D: (frag 33613:25 at 512)
00:24:20.476301 83.102.166.24    > A.B.C.D: (frag 64081:25 at 512)
00:25:02.727780 83.102.166.46    > A.B.C.D: (frag 24596:25 at 512)
00:25:07.178172 83.102.166.49    > A.B.C.D: (frag 39212:25 at 512)
00:25:21.461390 83.102.166.131   > A.B.C.D: (frag 33871:25 at 512)
00:25:25.230504 83.102.166.217   > A.B.C.D: (frag 33265:25 at 512)
00:26:24.993722 83.102.166.26    > A.B.C.D: (frag 53763:25 at 512)
00:26:53.192919 83.102.166.23    > A.B.C.D: (frag 31197:25 at 512)
00:26:54.875637 83.102.166.45    > A.B.C.D: (frag 61715:25 at 512)
00:27:09.446301 83.102.166.59    > A.B.C.D: (frag 56906:25 at 512)
00:27:15.053166 83.102.166.22    > A.B.C.D: (frag 26055:25 at 512)
00:27:28.068247 83.102.166.47    > A.B.C.D: (frag 59043:25 at 512)
00:27:35.049413 83.102.166.54    > A.B.C.D: (frag 52384:25 at 512)
00:27:46.357032 83.102.166.53    > A.B.C.D: (frag 56693:25 at 512)
00:27:48.806295 83.102.166.52    > A.B.C.D: (frag 34849:25 at 512)
00:27:49.923808 83.102.166.33    > A.B.C.D: (frag 54862:25 at 512)
00:27:56.340161 83.102.166.21    > A.B.C.D: (frag 39111:25 at 512)
00:28:10.987790 83.102.166.15    > A.B.C.D: (frag 35496:25 at 512)
00:28:12.437082 83.102.166.55    > A.B.C.D: (frag 61556:25 at 512)
00:28:19.895857 83.102.166.46    > A.B.C.D: (frag 62827:25 at 512)
00:28:30.107670 83.102.166.22    > A.B.C.D: (frag 47444:25 at 512)
00:28:43.400149 83.102.166.49    > A.B.C.D: (frag 22142:25 at 512)
00:28:48.002011 83.102.166.46    > A.B.C.D: (frag 39714:25 at 512)
00:28:48.690701 83.102.166.33    > A.B.C.D: (frag 51581:25 at 512)
00:29:00.182057 83.102.166.15    > A.B.C.D: (frag 62629:25 at 512)
...............................................................
> 
> Thanks in advance!
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 
> 
> 


Seeing the same exact thing here to our dns.  Haven't had a chance to to dig that deep yet.  Here's a sample from last night's logs:

-Jack

Timestamps are GMT-0500.

windump -nv -r 2004.11.10.int.2 > 2004.11.10.int.2-nv-frag1.txt net 83.102.166.0/24

17:25:54.529992 IP (tos 0x0, ttl  54, id 20342, offset 512, flags [none], length: 45) 83.102.166.15 > w.x.y.z: udp
17:26:36.732039 IP (tos 0x0, ttl  54, id 40399, offset 512, flags [none], length: 45) 83.102.166.54 > w.x.y.z: udp
17:27:35.281168 IP (tos 0x0, ttl  54, id 56265, offset 512, flags [none], length: 45) 83.102.166.33 > w.x.y.z: udp
17:28:19.062315 IP (tos 0x0, ttl  54, id 41374, offset 512, flags [none], length: 45) 83.102.166.55 > w.x.y.z: udp
17:28:21.899029 IP (tos 0x0, ttl  54, id 19471, offset 512, flags [none], length: 45) 83.102.166.24 > w.x.y.z: udp
17:28:48.625041 IP (tos 0x0, ttl  54, id 55757, offset 512, flags [none], length: 45) 83.102.166.33 > w.x.y.z: udp
17:29:12.959303 IP (tos 0x0, ttl  54, id 52538, offset 512, flags [none], length: 45) 83.102.166.24 > w.x.y.z: udp
17:30:09.296466 IP (tos 0x0, ttl  54, id 38304, offset 512, flags [none], length: 45) 83.102.166.76 > w.x.y.z: udp
17:30:27.510734 IP (tos 0x0, ttl  54, id 5220, offset 512, flags [none], length: 45) 83.102.166.42 > w.x.y.z: udp
17:31:00.886452 IP (tos 0x0, ttl  54, id 17915, offset 512, flags [none], length: 45) 83.102.166.55 > w.x.y.z: udp
17:31:20.366129 IP (tos 0x0, ttl  54, id 1012, offset 512, flags [none], length: 45) 83.102.166.15 > w.x.y.z: udp
17:31:42.492773 IP (tos 0x0, ttl  54, id 32494, offset 512, flags [none], length: 45) 83.102.166.21 > w.x.y.z: udp
17:31:48.473495 IP (tos 0x0, ttl  54, id 63484, offset 512, flags [none], length: 45) 83.102.166.4 > w.x.y.z: udp
17:32:38.423417 IP (tos 0x0, ttl  54, id 19546, offset 512, flags [none], length: 45) 83.102.166.1 > w.x.y.z: udp
17:32:58.037262 IP (tos 0x0, ttl  54, id 7973, offset 512, flags [none], length: 45) 83.102.166.43 > w.x.y.z: udp
17:33:35.424161 IP (tos 0x0, ttl  54, id 25444, offset 512, flags [none], length: 45) 83.102.166.22 > w.x.y.z: udp
17:33:43.892312 IP (tos 0x0, ttl  54, id 29663, offset 512, flags [none], length: 45) 83.102.166.46 > w.x.y.z: udp
17:33:44.738645 IP (tos 0x0, ttl  54, id 43725, offset 512, flags [none], length: 45) 83.102.166.217 > w.x.y.z: udp
17:34:13.302415 IP (tos 0x0, ttl  54, id 48359, offset 512, flags [none], length: 45) 83.102.166.23 > w.x.y.z: udp
17:34:24.165007 IP (tos 0x0, ttl  54, id 27499, offset 512, flags [none], length: 45) 83.102.166.26 > w.x.y.z: udp
17:34:35.628178 IP (tos 0x0, ttl  54, id 15935, offset 512, flags [none], length: 45) 83.102.166.131 > w.x.y.z: udp
17:34:42.770418 IP (tos 0x0, ttl  54, id 967, offset 512, flags [none], length: 45) 83.102.166.58 > w.x.y.z: udp
17:34:57.310323 IP (tos 0x0, ttl  54, id 39813, offset 512, flags [none], length: 45) 83.102.166.131 > w.x.y.z: udp
17:35:33.098662 IP (tos 0x0, ttl  54, id 32950, offset 512, flags [none], length: 45) 83.102.166.7 > w.x.y.z: udp
17:35:37.620472 IP (tos 0x0, ttl  54, id 41997, offset 512, flags [none], length: 45) 83.102.166.217 > w.x.y.z: udp
17:36:18.626514 IP (tos 0x0, ttl  54, id 48934, offset 512, flags [none], length: 45) 83.102.166.76 > w.x.y.z: udp
17:37:15.104947 IP (tos 0x0, ttl  54, id 53767, offset 512, flags [none], length: 45) 83.102.166.15 > w.x.y.z: udp
17:37:57.509132 IP (tos 0x0, ttl  54, id 18724, offset 512, flags [none], length: 45) 83.102.166.26 > w.x.y.z: udp
17:38:05.559059 IP (tos 0x0, ttl  54, id 20052, offset 512, flags [none], length: 45) 83.102.166.41 > w.x.y.z: udp
17:38:21.977893 IP (tos 0x0, ttl  54, id 23837, offset 512, flags [none], length: 45) 83.102.166.55 > w.x.y.z: udp
17:38:50.115488 IP (tos 0x0, ttl  54, id 26973, offset 512, flags [none], length: 45) 83.102.166.24 > w.x.y.z: udp
17:39:36.456991 IP (tos 0x0, ttl  54, id 62280, offset 512, flags [none], length: 45) 83.102.166.48 > w.x.y.z: udp
17:39:39.691778 IP (tos 0x0, ttl  54, id 51023, offset 512, flags [none], length: 45) 83.102.166.1 > w.x.y.z: udp
17:39:41.427503 IP (tos 0x0, ttl  54, id 13161, offset 512, flags [none], length: 45) 83.102.166.55 > w.x.y.z: udp
17:40:10.003293 IP (tos 0x0, ttl  54, id 24485, offset 512, flags [none], length: 45) 83.102.166.26 > w.x.y.z: udp
17:40:22.737439 IP (tos 0x0, ttl  54, id 37742, offset 512, flags [none], length: 45) 83.102.166.217 > w.x.y.z: udp
17:40:35.785080 IP (tos 0x0, ttl  54, id 53352, offset 512, flags [none], length: 45) 83.102.166.43 > w.x.y.z: udp
17:40:39.325656 IP (tos 0x0, ttl  54, id 45983, offset 512, flags [none], length: 45) 83.102.166.42 > w.x.y.z: udp
17:40:54.589587 IP (tos 0x0, ttl  54, id 37446, offset 512, flags [none], length: 45) 83.102.166.24 > w.x.y.z: udp
17:40:54.839222 IP (tos 0x0, ttl  54, id 41233, offset 512, flags [none], length: 45) 83.102.166.24 > w.x.y.z: udp
17:41:16.060990 IP (tos 0x0, ttl  54, id 59495, offset 512, flags [none], length: 45) 83.102.166.41 > w.x.y.z: udp
17:41:43.321758 IP (tos 0x0, ttl  54, id 48953, offset 512, flags [none], length: 45) 83.102.166.12 > w.x.y.z: udp
17:41:47.867541 IP (tos 0x0, ttl  54, id 58953, offset 512, flags [none], length: 45) 83.102.166.4 > w.x.y.z: udp

More information about the Intrusions mailing list