[72152] in North American Network Operators' Group
Re: Barrages of Packet Errors
daemon@ATHENA.MIT.EDU (John Kinsella)
Thu Jul 1 13:04:52 2004
Date: Thu, 1 Jul 2004 10:04:24 -0700
From: John Kinsella <jlk@thrashyour.com>
To: webmagician@altern.org
Cc: nanog@merit.edu
Reply-To: John Kinsella <jlk@thrashyour.com>
In-Reply-To: <20040701062542.6BBE15A42D@segue.merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
It's an off topic posting. Try asking on SecurityFocus' Incidents list.
John(mmm deja-vu)
On Thu, Jul 01, 2004 at 08:25:33AM +0200, webmagician@altern.org wrote:
>=20
>=20
> Hopefully this is not an off-topic posting. I've scanned a variety of gro=
ups looking to see if anyone else has encountered a similar problem, to no =
avail, and I simply thought this might be the most appropriate place to pos=
t an inquiry.
>=20
> I'm not a service provider, simply a small business operator with a few s=
ervers, providing business clients with mostly standard web and email type =
services. A couple of nights ago my systems started experiencing a sharp in=
crease in DNS traffic generating a new flavor of error messages. I'd like t=
o know if anyone else out there noticed similar DNS errors in the past coup=
le of days.
>=20
> The barrage first hit at roughly 9:15pm (Mountain Std Time) on June 28th =
and lasted only a few minutes. It repeated again at 9:25pm, and then again=
at roughly 9:38pm, and a 4th round at 10:06pm. I fired up ethereal shortly=
after the 4th battery in the hopes of capturing additional data, but there=
was no further activity, and I shut ethereal down the next morning (June 2=
9th). However, later in the morning of the 29th the problem resurfaced, fir=
st at roughly 10am, then at 11:00am, 11:30am, and a final blast at 11:45am.=
Unfortunately I wasn't around during those barrages, so again I missed the=
opportunity to collect additional information - I only noticed it had happ=
ened while reviewing the server logs later that afternoon. The errors haven=
't re-occurred since.
>=20
> The error messages are all the same (other than the inbound IP address ca=
using the errors). The error message is as follows:
> "DNS Server encountered bad packet from 192.5.6.30. Packet processing l=
eads beyond packet length." =20
>=20
> After extracting and sorting the error messages from the server log, I no=
ticed the errors were associated with about 3 dozen IP addresses. The list =
of IP's associated with the packets that were generating the errors is as f=
ollows:
>=20
> 128.63.2.53 =3D h.root-servers.net
> 128.9.0.107 =3D ns1.isi.edu
> 152.163.159.234 =3D dns-01.icq.net
> 192.112.36.4 =3D g.root-servers.net
> 192.12.94.32 =3D aloe.arin.net
> 192.203.230.10 =3D e.root-servers.net
> 192.228.79.201 =3D b.root-servers.net
> 192.26.92.30 =3D c.gtld-servers.net
> 192.33.14.30 =3D b.gtld-servers.net
> 192.33.4.12 =3D c.root-servers.net
> 192.35.51.32 =3D dill.arin.net
> 192.36.148.17 =3D i.root-servers.net
> 192.42.93.30 =3D g.gtld-servers.net
> 192.5.5.241 =3D f.root-servers.net
> 192.5.6.30 =3D a.gtld-servers.net
> 192.5.6.32 =3D a3.nstld.com
> 192.54.112.30 =3D h.gtld-servers.net
> 192.58.128.30 =3D j.root-servers.net
> 193.0.14.129 =3D k.root-servers.net
> 193.205.245.8 =3D dns2.nic.it
> 198.32.64.12 =3D l.root-servers.net
> 198.41.0.4 =3D a.root-servers.net
> 198.96.180.33 =3D ns1.bmo.com
> 198.96.183.6 =3D ns2.bmo.com
> 199.191.128.105 =3D cbru.br.ns.els-gms.att.net
> 199.191.145.136 =3D macu.ma.mt.np.els-gms.att.net
> 202.12.27.33 =3D m.root-servers.net
> 204.152.185.196 =3D west-pub.mail-abuse.org
> 205.188.157.232 =3D dns-02.ns.aol.com
> 205.188.157.234 =3D dns-02.icq.net
> 209.182.216.75 =3D ns1.gnac.net
> 209.237.237.10 =3D dns1-public.alexa.com
> 209.47.26.190 =3D ns.uunet.ca
> 216.239.34.10 =3D ns2.google.com
> 216.239.38.10 =3D ns4.google.com
> 35.9.116.13 =3D serv1.cl.msu.edu
> 64.4.240.70 =3D ns1.nix.paypal.com
> 64.4.240.71 =3D ns2.nix.paypal.com
> 64.4.244.70 =3D ns1.sc5.paypal.com
> 64.4.244.71 =3D ns2.sc5.paypal.com
>=20
> I never assume anything happens "by chance" when it comes to anomalies in=
any of my systems log files, particularly when it's something brand new (I=
've never encountered this particular error in the past 7 years or so, so i=
t set bells ringing to examine the problem more closely) (and there was not=
hing different or non-normal in the way of user activity or other processin=
g, etc. at any time prior to or during these 'events'). My initial guess is=
it's someone trying out some new attack vector attempting to exploit yet a=
nother buffer overflow problem in windoze, but the strange thing is that th=
e IP's are all (with the exception of a couple) associated with top-level d=
omain servers (or am I mistaken in that assessment?). I'm not a network spe=
cialist by any stretch of the imagination, my skill-sets are in other areas=
, so I'm afraid I haven't much else to add in the way of information about =
this problem. I'm just looking to bring it to the attention of those who do=
have the knowledge/experience in this area in case it's a problem of some =
significance where forewarning may prove useful to others.
>=20
> Thank you.
>=20
> Brian Pederson
> Chief Technology Officer
> TeamWorx Productions Ltd.
>=20
>=20
