Re: Unusual IN ANY DNS Traffic
On Wednesday 11 May 2005 03:57, Simon Waters wrote: Indeed moderns versions of BIND default to high ports for DNS queries as well unless configured otherwise. I think old versions of BIND and the odd firewall product were the main thing doing source port 53 queries. I was going to suggest email servers as a possible cause -- I think probably you'll have to speak to a customer if it still persists. Make sure they haven't been owned. Might just have been a spam run or mailshot with msn.com as the reply, and you discovering how many email servers are out there or similar. I suspect you're correct; these are probably some DSL customers who have 0wn3d by either a virus or malware and have just been turned on to spam domains at msn.com. Unfortunately we don't do protocol graphs on our major routers or else I would have been able to see a spike of port 25 traffic if it had existed - we just graph our DNS server query which is why I noticed the jump. I assume your not using something daft like MS DNS server, but a recent BIND or DJB cache. Also correct; we're running BIND 9.2.2 and I parse the query logs to see what kind of traffic we're getting via the different query types. -Doug -- Douglas E. Warner[EMAIL PROTECTED] Network Engineer CTI Networks, Inc. http://www.ctinetworks.com+1 717 975 9000 pgpg0a2P48vxT.pgp Description: PGP signature
Unusual IN ANY DNS Traffic
Since about 03:00 UTC this morning I've been seeing a huge increase in IN ANY requests for msn.com.. While my name servers have not seen much, if any, IN ANY queries in the past, now I'm seeing ~ 50 queries/second. I'll include a tcpdump sample below. Actually, while I was writing this post the queries seem to have stopped (15:05 UTC). Is this typical of a botnet or some worm propogating? Any experience in this type of traffic would be very much appreciated. -Doug tcpdump - times in EDT # tcpdump -nn dst port 53 | grep 'ANY' tcpdump: listening on eth0 10:27:16.748561 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.751724 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 15+ ANY? msn.com. (25) (DF) 10:27:16.758276 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.758440 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 3+ ANY? msn.com. (25) (DF) 10:27:16.758443 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 10+ ANY? msn.com. (25) (DF) 10:27:16.759799 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.761228 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 10+ ANY? msn.com. (25) (DF) 10:27:16.762209 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.764992 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 7+ ANY? msn.com. (25) (DF) 10:27:16.765981 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.766676 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.766798 66.59.xxx.xxx.53 205.166.xxx.xxx.53: 8+ ANY? msn.com. (25) (DF) -- Douglas E. Warner[EMAIL PROTECTED] Network Engineer CTI Networks, Inc. http://www.ctinetworks.com+1 717 975 9000 pgpgXXq0ItCCH.pgp Description: PGP signature
Re: Unusual IN ANY DNS Traffic
On Tuesday 10 May 2005 12:14, Duane Wessels wrote: One thing I've noticed that likes to generate ANY queries is Qmail... I guess I should've stated that these are almost all some DSL customers on our network using their assigned DNS servers, but this traffic is just completely out of normal; especially since they were all looking for msn.com.. Another thing that is quite odd (to me) is that the source port is all port 53; I thought that normal clients would use a random high port to do queries from. -Doug -- Douglas E. Warner[EMAIL PROTECTED] Network Engineer CTI Networks, Inc. http://www.ctinetworks.com+1 717 975 9000 pgpgtOJscGKNM.pgp Description: PGP signature
