Re: Unusual IN ANY DNS Traffic
On Wednesday 11 May 2005 03:57, Simon Waters wrote: > Indeed moderns versions of BIND default to high ports for DNS queries as > well unless configured otherwise. I think old versions of BIND and the odd > firewall product were the main thing doing source port 53 queries. > > I was going to suggest email servers as a possible cause -- I think > probably you'll have to speak to a customer if it still persists. Make sure > they haven't been owned. Might just have been a spam run or mailshot with > "msn.com" as the reply, and you discovering how many email servers are out > there or similar. > I suspect you're correct; these are probably some DSL customers who have "0wn3d" by either a virus or malware and have just been "turned on" to spam domains at "msn.com". Unfortunately we don't do protocol graphs on our major routers or else I would have been able to see a spike of port 25 traffic if it had existed - we just graph our DNS server query which is why I noticed the jump. > I assume your not using something daft like MS DNS server, but a recent > BIND or DJB cache. Also correct; we're running BIND 9.2.2 and I parse the query logs to see what kind of traffic we're getting via the different query types. -Doug -- Douglas E. Warner<[EMAIL PROTECTED]> Network Engineer CTI Networks, Inc. http://www.ctinetworks.com+1 717 975 9000 pgpg0a2P48vxT.pgp Description: PGP signature
Re: Unusual IN ANY DNS Traffic
On Tuesday 10 May 2005 12:14, Duane Wessels wrote: > One thing I've noticed that likes to generate ANY queries is Qmail... I guess I should've stated that these are almost all some DSL customers on our network using their assigned DNS servers, but this traffic is just completely out of normal; especially since they were all looking for "msn.com.". Another thing that is quite odd (to me) is that the source port is all port 53; I thought that normal clients would use a random high port to do queries from. -Doug -- Douglas E. Warner<[EMAIL PROTECTED]> Network Engineer CTI Networks, Inc. http://www.ctinetworks.com+1 717 975 9000 pgpgtOJscGKNM.pgp Description: PGP signature
Re: Unusual IN ANY DNS Traffic
On Tue, 10 May 2005, Douglas E. Warner wrote: Since about 03:00 UTC this morning I've been seeing a huge increase in "IN ANY" requests for "msn.com.". While my name servers have not seen much, if any, "IN ANY" queries in the past, now I'm seeing ~ 50 queries/second. I'll include a tcpdump sample below. Actually, while I was writing this post the queries seem to have stopped (15:05 UTC). Is this typical of a botnet or some worm propogating? Any experience in this type of traffic would be very much appreciated. One thing I've noticed that likes to generate ANY queries is Qmail... Duane W.
Unusual IN ANY DNS Traffic
Since about 03:00 UTC this morning I've been seeing a huge increase in "IN ANY" requests for "msn.com.". While my name servers have not seen much, if any, "IN ANY" queries in the past, now I'm seeing ~ 50 queries/second. I'll include a tcpdump sample below. Actually, while I was writing this post the queries seem to have stopped (15:05 UTC). Is this typical of a botnet or some worm propogating? Any experience in this type of traffic would be very much appreciated. -Doug tcpdump - times in EDT # tcpdump -nn dst port 53 | grep 'ANY' tcpdump: listening on eth0 10:27:16.748561 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.751724 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 15+ ANY? msn.com. (25) (DF) 10:27:16.758276 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.758440 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 3+ ANY? msn.com. (25) (DF) 10:27:16.758443 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 10+ ANY? msn.com. (25) (DF) 10:27:16.759799 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.761228 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 10+ ANY? msn.com. (25) (DF) 10:27:16.762209 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.764992 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 7+ ANY? msn.com. (25) (DF) 10:27:16.765981 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 16+ ANY? msn.com. (25) (DF) 10:27:16.766676 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 6+ ANY? msn.com. (25) (DF) 10:27:16.766798 66.59.xxx.xxx.53 > 205.166.xxx.xxx.53: 8+ ANY? msn.com. (25) (DF) -- Douglas E. Warner<[EMAIL PROTECTED]> Network Engineer CTI Networks, Inc. http://www.ctinetworks.com+1 717 975 9000 pgpgXXq0ItCCH.pgp Description: PGP signature