[Dshield] Strange udp/53 traffic...

Stephane Grobety security at admin.fulgan.com
Thu Apr 1 07:49:44 GMT 2004


JK> Anyone know what this might be? Some P2P abomination or a bot-net?

It looks like DNS traffic, most likely questions since several
requests have a high source port.

Now, I've checked the apparent source IP and most seem to belong to
hosts sitting behind leased lines. One (181.118.135.17) is even not
assigned to anyone yet: a sign of spoof or of incorrect configuration.
They come from all over the world.

Now, if we actually had a packet dump, we could have a better idea of
what's going on. I see four possibilities:

1/ Someone, somewhere has improperly setup a glue record in a DNS
server and have it pointed at your machine. Clients trying to resolve
names belonging to that misconfigured zone are sending their requests
to you. It's fairely possible but the fact that none of these source
IP seems to belong to "normal" customers (dialup, cable or DSL) could
indicate a quite peculiar domain. There is also the unassigned IP that
doesn't fit the picture (then again, people do strange things with IP
nowadays)

2/ Someone is scanning your network for DNS servers and is trying to
hide his real IP behind a number of spoofed packets. You haven't
provided any TTL so it's hard to see exactly what's going one but the
fact that the source port is sometime in the high range seems to be
against that (then again, this could very easily be done).

3/ Someone is trying to use the 172.18.81.21 as a traffic amplifier
and annonimizer for a DDoS. Is that IP running a DNS server ?

4/ Someone is trying to DDoS you through DNS. He is either using a
net of very dumb bots or he's simple spoofing the source IP. Again,
without packet details it's hard to have an opinion here.

That's all I can think off.

Good luck,
Stephane






More information about the list mailing list