[Dshield] increase port 53 traffic and compromised hosts

Alan Frayer afrayer at frayernet.com
Wed Jan 21 21:50:37 GMT 2004


I've been noticing the typical noise, but the port 53 stuff stands out
for its volume (which has dropped dramatically over the last two days,
for some reason... maybe someone's figured this one out already). Since
all I can really do is monitor the Dshield submissions and start a few
Fightbacks unless the client alerts me to issues they're willing to pay
for, I can't really get an idea of what's going on. I know the
configuration of the internal network, and don't believe the issue is
routine, but I can't say for sure that the client isn't compromised, and
the port 53 communications aren't replies to the compromised client
machine(s). Their firewall isn't watching outbound traffic as closely as
inbound traffic.

On Wed, 2004-01-21 at 15:45, Pete Cap wrote:

> Just a quick question...
>  
> Have you tried correlating this activity with anything else?
> 
> What other significant recon or "apparent" DDoS are you seeing?
> 
> Regards,
> Pete
> 
> Alan Frayer <afrayer at frayernet.com> wrote:
> On Mon, 2004-01-19 at 16:57, hostmaster at denverdata.com wrote:
> 
> > We're receiving an interesting surge in DNS traffic that began approx. 3PM MST 
> > on Jan 18. The surge is interesting in that:
> > 
> > * we do not have a publicly accessible DNS server at the target of the traffic
> > * all traffic is originating from 17 unique hosts (most in the ev1.net space, 
> > 1 host in aol.com)
> > * the traffic appears to be legitimate DNS name queries -- one captured 
> > request was for 217-125-299-77.UC.NOMBRES.TTD.ES
> > * for any given host, the same source port is always used. For a few of the 
> > hosts the source port flip-flops between two ports.
> > * at least two of the hosts appear to be compromised Windows boxes w/open port 
> > 27374 (SubSeven)
> 
> 
> A consulting client of mine has had similar issues, with attacks on only
> one public IP, however we lack the necessary components to capture the
> packets and further analyze them (I'm lucky that I can send Dshield the
> reports and participate in the Fightback program). These port 53 attacks
> make up the majority of attacks to this company's IPs (even with 6 IPs
> reporting), yet they don't actually shut down the bandwidth, so the
> company isn't requesting further action on my part.
> 
> The funny thing is, I haven't been able to rally enough support from
> anyone to actually do anything with them. They don't individually have
> enough targets to allow me to request a Fightback on them, and I don't
> see where I have enough leverage on my own.
> 
> 
> 
> 
> ________________________________________________________________________
> 
> Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com 
> Member: Independent Consultants Association (ICA)
> Consultants - FREE Directory Listing - http://www.ica-assn.org
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


________________________________________________________________________

Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com 
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org 
 



More information about the list mailing list