[Dshield] Abundant Port 53 scans

Kelley Paul pfkelley at JPScorp.com
Tue Jul 10 18:26:26 GMT 2001


I was getting  TCP DNS  syn acks from many different IP addresses. These
packets came form IP addresses all over the globe and were not attached to
hosts that could be found by DNS. I was able to trace one valid IP address
and sent a copy of the trace with a question to the tech contact for the
domain. I have attached  three trace frames to illustrate what i was seeing
and their response to my email.  Their explanation is a Cisco load balancer.
I have question for the experts here. Is Cisco's implementation a legitimate
use of the TCP protocol?

			Thanks
                                     paul

- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - -
- - - - - -
\"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source
\",\"Bytes\",\"Protocol  \",\"Summary\"
"    M ","     1","0.000.000    ","[xxx.xxx.xxx.xxx]    ","[140.239.176.162]
","   60 ","TCP"," D=53 S=64252 SYN ACK=25957485 SEQ=25957486 LEN=0
WIN=4128"
DLC:  ----- DLC Header -----
      DLC:  
      DLC:  Frame 1 arrived at  16:22:15.6898; frame size is 60 (003C hex)
bytes.
      DLC:  Destination = Station Kngstn2DB055
      DLC:  Source      = Station Cisc14B914AC
      DLC:  Ethertype   = 0800 (IP)
      DLC:  
IP: ----- IP Header -----
      IP: 
      IP: Version = 4, header length = 20 bytes
      IP: Type of service = 00
      IP:       000. ....   = routine
      IP:       ...0 .... = normal delay
      IP:       .... 0... = normal throughput
      IP:       .... .0.. = normal reliability
      IP:       .... ..0. = ECT bit - transport protocol will ignore the CE
bit
      IP:       .... ...0 = CE bit - no congestion
      IP: Total length    = 44 bytes
      IP: Identification  = 0
      IP: Flags           = 0X
      IP:       .0.. .... = may fragment
      IP:       ..0. .... = last fragment
      IP: Fragment offset = 0 bytes
      IP: Time to live    = 240 seconds/hops
      IP: Protocol        = 6 (TCP)
      IP: Header checksum = 050A (correct)
      IP: Source address      = [140.239.176.162]
      IP: Destination address = [xxx.xxx.xxx.xxx]
      IP: No options
      IP: 
TCP: ----- TCP header -----
      TCP: 
      TCP: Source port             = 64252
      TCP: Destination port        = 53 (Domain)
      TCP: Initial sequence number = 25957486
      TCP: Next expected Seq number= 25957487
      TCP: Acknowledgment number   = 25957485
      TCP: Data offset             = 24 bytes
      TCP: Flags                   = 12
      TCP:               ..0. .... = (No urgent pointer)
      TCP:               ...1 .... = Acknowledgment
      TCP:               .... 0... = (No push)
      TCP:               .... .0.. = (No reset)
      TCP:               .... ..1. = SYN
      TCP:               .... ...0 = (No FIN)
      TCP: Window                  = 4128
      TCP: Checksum                = 9EAB (correct)
      TCP: 
      TCP: Options follow
      TCP: Maximum segment size = 536
      TCP: 

- - - - - - - - - - - - - - - - - - - - Frame 2 - - - - - - - - - - - - - -
- - - - - -
\"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source
\",\"Bytes\",\"Protocol  \",\"Summary\"
"      ","     2","1.973.042    ","[xxx.xxx.xxx.xxx]    ","[140.239.176.162]
","   60 ","TCP"," D=53 S=64574 SYN ACK=25957807 SEQ=25957808 LEN=0
WIN=4128"
DLC:  ----- DLC Header -----
      DLC:  
      DLC:  Frame 2 arrived at  16:22:17.6628; frame size is 60 (003C hex)
bytes.
      DLC:  Destination = Station Kngstn2DB055
      DLC:  Source      = Station Cisc14B914AC
      DLC:  Ethertype   = 0800 (IP)
      DLC:  
IP: ----- IP Header -----
      IP: 
      IP: Version = 4, header length = 20 bytes
      IP: Type of service = 00
      IP:       000. ....   = routine
      IP:       ...0 .... = normal delay
      IP:       .... 0... = normal throughput
      IP:       .... .0.. = normal reliability
      IP:       .... ..0. = ECT bit - transport protocol will ignore the CE
bit
      IP:       .... ...0 = CE bit - no congestion
      IP: Total length    = 44 bytes
      IP: Identification  = 0
      IP: Flags           = 0X
      IP:       .0.. .... = may fragment
      IP:       ..0. .... = last fragment
      IP: Fragment offset = 0 bytes
      IP: Time to live    = 240 seconds/hops
      IP: Protocol        = 6 (TCP)
      IP: Header checksum = 050A (correct)
      IP: Source address      = [140.239.176.162]
      IP: Destination address = [xxx.xxx.xxx.xxx]
      IP: No options
      IP: 
TCP: ----- TCP header -----
      TCP: 
      TCP: Source port             = 64574
      TCP: Destination port        = 53 (Domain)
      TCP: Initial sequence number = 25957808
      TCP: Next expected Seq number= 25957809
      TCP: Acknowledgment number   = 25957807
      TCP: Data offset             = 24 bytes
      TCP: Flags                   = 12
      TCP:               ..0. .... = (No urgent pointer)
      TCP:               ...1 .... = Acknowledgment
      TCP:               .... 0... = (No push)
      TCP:               .... .0.. = (No reset)
      TCP:               .... ..1. = SYN
      TCP:               .... ...0 = (No FIN)
      TCP: Window                  = 4128
      TCP: Checksum                = 9AE5 (correct)
      TCP: 
      TCP: Options follow
      TCP: Maximum segment size = 536
      TCP: 

- - - - - - - - - - - - - - - - - - - - Frame 3 - - - - - - - - - - - - - -
- - - - - -
\"Flags \",\"Frame \",\"Delta Time   \",\"Destination       \",\"Source
\",\"Bytes\",\"Protocol  \",\"Summary\"
"      ","     3","0.026.604    ","[xxx.xxx.xxx.xxx]    ","[140.239.176.162]
","   60 ","TCP"," D=53 S=64252 SYN (Retransmission of Frame 1) ACK=25957485
SEQ=25957486 LEN=0 WIN=4128"
DLC:  ----- DLC Header -----
      DLC:  
      DLC:  Frame 3 arrived at  16:22:17.6894; frame size is 60 (003C hex)
bytes.
      DLC:  Destination = Station Kngstn2DB055
      DLC:  Source      = Station Cisc14B914AC
      DLC:  Ethertype   = 0800 (IP)
      DLC:  
IP: ----- IP Header -----
      IP: 
      IP: Version = 4, header length = 20 bytes
      IP: Type of service = 00
      IP:       000. ....   = routine
      IP:       ...0 .... = normal delay
      IP:       .... 0... = normal throughput
      IP:       .... .0.. = normal reliability
      IP:       .... ..0. = ECT bit - transport protocol will ignore the CE
bit
      IP:       .... ...0 = CE bit - no congestion
      IP: Total length    = 44 bytes
      IP: Identification  = 0
      IP: Flags           = 0X
      IP:       .0.. .... = may fragment
      IP:       ..0. .... = last fragment
      IP: Fragment offset = 0 bytes
      IP: Time to live    = 240 seconds/hops
      IP: Protocol        = 6 (TCP)
      IP: Header checksum = 050A (correct)
      IP: Source address      = [140.239.176.162]
      IP: Destination address = [xxx.xxx.xxx.xxx]
      IP: No options
      IP: 
TCP: ----- TCP header -----
      TCP: 
      TCP: Source port             = 64252
      TCP: Destination port        = 53 (Domain)
      TCP: Initial sequence number = 25957486
      TCP: Next expected Seq number= 25957487
      TCP: Acknowledgment number   = 25957485
      TCP: Data offset             = 24 bytes
      TCP: Flags                   = 12
      TCP:               ..0. .... = (No urgent pointer)
      TCP:               ...1 .... = Acknowledgment
      TCP:               .... 0... = (No push)
      TCP:               .... .0.. = (No reset)
      TCP:               .... ..1. = SYN
      TCP:               .... ...0 = (No FIN)
      TCP: Window                  = 4128
      TCP: Checksum                = 9EAB (correct)
      TCP: 
      TCP: Options follow
      TCP: Maximum segment size = 536
      TCP: 



EMAIL RESPONSE FROM mirror-image.net:

> From: Support [support at mirror-image.com]
>Sent: Tuesday, June 05, 2001 1:51 PM
>To: Kelley Paul
>Subject: Re: Bad DNS Packets


>Hello,

>The activity you describe is a result of our global load balancer.
>When a client behind your DNS server makes a request to one of our
>customer's sites, our load balancer has all of our sites send out
>an rtt packet to see which site is closest to the client's DNS server.
>The decision is then made as to which site the client's request will
>be sent. This is a function of Cisco's Distributed Director and in no
>way an attempt to disrupt your network. In fact, the clients requests
>are answered quicker and their web pages delivered much quicker as a
>result.  A handshake is not required by the Distributed Director, since
>the original request is from one of your clients. This is why the
>Distributed Director treats it as if it were an established connection,
>hence the ACK ....

>I hope this clarifies things. If you have any further questions, please
>direct them to networks at mirror-image.com

>We apologize for any confusion,

On Jun 5, 2001 Kelley Paul is alleged to have written:

> Date: Tue, 5 Jun 2001 07:57:56 -0400
> From: Kelley Paul <pfkelley at JPScorp.com>
> To: "'domreg at mirrorimage.net'" <domreg at mirrorimage.net>
> Subject: Bad DNS Packets
>
>
>  Our site has been the receiving bad DNS packets that appear to be
> manufactured. I am not sure if this fits any know scan or DDOS attack but
> these packets come in bursts and last for ~ one hour.  These incidents
were
> intermittent but have increased in frequency and duration.  The packets
are
> syn acks to syns we never sent.  Your address popped up over the last 2
> days. It has been the only address that could be resolved. I am not sure
if
> they just randomly hit your address or if one of your machines may be the
> source. I would appreciate any help you could give me in this matter. I
have
> included a text file with a printout of the captured packets with your
> address. If you would like to see a more comprehensive capture i will send
> you one.
>
>
> 							Thanks
> 							Paul Kelley
>
>
>  <<bostondns.prn>>
>
> Paul F. Kelley
> JPS Elastomerics
> 413-552-1060
> pfkelley at jpscorp.com
> "...Where is your faith?.."
>
>

--
Keith Libitz - Sr. Systems Administrator - Mirror Image Internet, Inc.
e: keithl at mirror-image.com v: 781-376-1111 f: 781-376-1110
SIGSIG -- signature too long (core dumped)
Paul F. Kelley
JPS Elastomerics
413-552-1060
pfkelley at jpscorp.com
"...Where is your faith?.."




More information about the list mailing list