[unisog] odd traffic on udp 53 (variation on thread)

Joshua Thomas security at ohio.edu
Tue Oct 21 20:21:34 GMT 2003


We've also seen a noticeable spike in DNS requests from a single 
workstation when that user installed the Grub client.  Grub is a 
distributed web crawler network which uses unused CPU cycles (a la 
SETI at home) to index web sites.  The crawling generates a lot of DNS 
queries, which you may be able to identify by the way the client traverses 
sites (i.e. a query for www.yahoo.com followed by shop.yahoo.com, 
news.yahoo.com, maps.yahoo.com, etc).  See <http://www.grub.org/> for more 
info.

Joshua Thomas
Security Analyst
Communication Network Services
Ohio University
Athens, Ohio 45701
Phone: (740) 597-2974
Fax: (740) 597-1826
security at ohio.edu

--On Friday, October 17, 2003 11:24 PM -0400 Clarke Morledge 
<chmorl at wm.edu> wrote:

> I don't think I've got the same thing going on udp port 53, but I am
> seeing some awfully weird stuff with DNS.
>
> We are seeing huge spikes of DNS queries from our official campus DNS
> servers querying other DNS servers upstream.   From several hundred DNS
> queries every 10 to 30 minutes or so to around 10,000 or more during the
> same time period.  The sheer quantity bothers me.  These DNS storms last
> about an hour before they die off.
>
> But the most annoying part is that they are DoS'ing my PIX firewall.  The
> huge surge of UDP "connections" burns up all of the resources on the PIX
> -- pegging the CPU (running PIX version 6.3).
>
> Is anybody seeing anything like this?
>
>
> Clarke Morledge
> College of William and Mary
> Information Technology - Network Engineering
> Jones Hall (Room 18)
> Williamsburg VA 23187
> 757-221-1536
> chmorl at wm.edu
>
> On Wed, 8 Oct 2003, Gerry Sneeringer wrote:
>
>> On Wed, 8 Oct 2003, Russell Fulton wrote:
>> > Hi All,
>> > 	Over the last few days I've spotted three or four systems doing lots
>> > 	of traffic on udp port 53.  My first thought was that this was some
>> > worm or trojan doing DNS lookups to find MX records (like sobig-f).
>> > This turn out not to be the case (well at least NAV failed to find any
>> > evidence of infection).  The all the packets I observed carry bytes of
>> > data (NULLs in the few packets I captured).  There are also lots of
>> > packets being sent to 119.0.0.0 on udp 30467, again 8 bytes of data.
>> >
>> > Occasionally we see small incoming udp packets to this machine.
>> >
>> > My best guess now is that is some sort of p2p protocol and the users
>> > are being coy with us because they know that their use is against
>> > university policy (unless they can convince us that the they are not
>> > breaching anyone's copyright(.
>> >
>> > Anyone got any ideas?
>> >
>> > Below are various relevant bits of data about the system and the
>> > traffic.
>>
>> Earthstation5 (www.earthstation5.com) boasts about the ability to
>> use the DNS and NTP UDP ports to thrwart University network
>> administrators.
>>
>> -Gerry
>>
>>
>> ---
>> Gerry Sneeringer, CISSP
>> IT Security Officer
>> University of Maryland
>>
>>
>>
>>
>






More information about the unisog mailing list