Lost In Cyberia Posted January 27, 2014 Share Posted January 27, 2014 Hello everyone, so I'm getting this tcpdump, and it looks like..quite a mess... Can anyone decipher this? I can tell that one IP is requesting DNS info? but I'm having trouble finding out what some of the fields actually mean.. 19:44:50.707637 IP 66.81.1.252.53 > 64.147.113.139.28638: 52313 243/2/7 SOA, A 204.46.43.46, A 204.46.43.47, A 204.46.43.48, A 204.46.43.49, A 204.46.43.50, A 204.46.43.51, A 204.46.43.52, A 204.46.43.53, A 204.46.43.54, A 204.46.43.55, A 204.46.43.56, A 204.46.43.57, A 204.46.43.58, A 204.46.43.59, A 204.46.43.60, A 204.46.43.61, A 204.46.43.62, A 204.46.43.63, A 204.46.43.64, A 204.46.43.65 I know the first set of numbers if the time stamp...the 2nd is the IP address..and the next is the destination IP...with the port number after the last octet of the IP What comes next the '243/2/7 is what confuses me... I know SOA is the start of authority but what does it all mean together? I have a huuuge flood of traffic with these type of output.. I know the A's represent A records, but are these being requested or sent? Can some one break this down for me in what is actually happening here? Quote Link to comment Share on other sites More sharing options...
digip Posted January 27, 2014 Share Posted January 27, 2014 (edited) Check your servers DNS settings and if its secured against Zone Transfers. If not, they could be scanning your(guess corporate/work) lan for internal addresses for the subnet behind NAT, although the range looks like addresses you'd see on the internet unless you for some reason chose that range for an internal network. 204.46.43.65 for example, is epa.gov on the internet side, but if its on a network behind NAT it could be anything. Its possible your machine is being used to scan another network such as the epa and using you to bounce off of, which would be a bad thing and most likely you have an intruder on your internal network scanning external networks, or the machine you're on is compromised, or, for whatever reason, people are just visiting the epa and you're seeing their traffic to the site and the normal DNS requests the machine is making to their site. They seem to return unassigned.epa.gov if you try to resolve them, so maybe someone visited epa.gov and they have multiple IP's for redundancy and you got all of them back for whatever reason in the request for the site. Edited January 27, 2014 by digip Quote Link to comment Share on other sites More sharing options...
Lost In Cyberia Posted January 27, 2014 Author Share Posted January 27, 2014 Thanks for the response digip. We are behind NAT, but this range is not used by use. So it's definitely an external IP. The segment of traffic I posted was a mere drop in the bucket of the traffic that was flooded to the client's machine. (We're an ISP and saw a ton of traffic slam the client) Another tiny snippet: 19:44:50.708965 IP 203.113.165.27.53 > 64.147.113.139.33526: 52313| 243/0/2 A 204.46.43.172, A 204.46.43.173, A 204.46.43.174, A 204.46.43.175, A 204.46.43.176, A 204.46.43.177, A 204.46.43.178, A 204.46.43.179, A 204.46.43.180, A 204.46.43.181, A 204.46.43.182, A 204.46.43.183, A 204.46.43.184, A 204.46.43.185, A 204.46.43.186, A 204.46.43.187, A 204.46.43.188, A 204.46.43.189, A 204.46.43.190, A 204.46.43.191, A 204.46.43.192, A 204.46.43.193, A 204.46.43.194, A 204.46.43.195, A 204.46.43.196, A 204.46.43.197, A 204.46.43.198, A 204.46.43.199, A 204.46.43.200, A 204.46.43.201, A 204.46.43.202, A 204.46.43.203, A 204.46.43.204, A 204.46.43.205, A 204.46.43.206, A 204.46.43.207, A 204.46.43.208, A 204.46.43.209, So is the 64.147.113.139 machine the actual DNS server? What's the meaning of the "243/0/2" ? Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted January 27, 2014 Share Posted January 27, 2014 looks like DNS amplification ddos. Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted January 27, 2014 Share Posted January 27, 2014 Thanks for the response digip. We are behind NAT, but this range is not used by use. So it's definitely an external IP. The segment of traffic I posted was a mere drop in the bucket of the traffic that was flooded to the client's machine. (We're an ISP and saw a ton of traffic slam the client) Another tiny snippet: 19:44:50.708965 IP 203.113.165.27.53 > 64.147.113.139.33526: 52313| 243/0/2 A 204.46.43.172, A 204.46.43.173, A 204.46.43.174, A 204.46.43.175, A 204.46.43.176, A 204.46.43.177, A 204.46.43.178, A 204.46.43.179, A 204.46.43.180, A 204.46.43.181, A 204.46.43.182, A 204.46.43.183, A 204.46.43.184, A 204.46.43.185, A 204.46.43.186, A 204.46.43.187, A 204.46.43.188, A 204.46.43.189, A 204.46.43.190, A 204.46.43.191, A 204.46.43.192, A 204.46.43.193, A 204.46.43.194, A 204.46.43.195, A 204.46.43.196, A 204.46.43.197, A 204.46.43.198, A 204.46.43.199, A 204.46.43.200, A 204.46.43.201, A 204.46.43.202, A 204.46.43.203, A 204.46.43.204, A 204.46.43.205, A 204.46.43.206, A 204.46.43.207, A 204.46.43.208, A 204.46.43.209, So is the 64.147.113.139 machine the actual DNS server? What's the meaning of the "243/0/2" ? 243 records answers, 0 authoritative responses, 2 non-authoritative responses. This means that one small query returned a very large response, thus the amplification aspect. Quote Link to comment Share on other sites More sharing options...
Lost In Cyberia Posted January 28, 2014 Author Share Posted January 28, 2014 Alright... so the "attacked" IP, the 64.147.113.139, had a flood of records (243 apparently) sent to it, by the most likely spoofed IP of 203.113.165.27. Most likely this IP sent out a whole bunch of DNS requests to recursive name servers, telling them all to give a response back to 64.147.113.139? Do I have this right? Now did the attack specify which IP's it wanted the DNS servers to send, it seems like a huge range or did they just do something like 204.46.43.* to grab the entire range? Quote Link to comment Share on other sites More sharing options...
Dec100 Posted January 28, 2014 Share Posted January 28, 2014 This is a good read: http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack Quote Link to comment Share on other sites More sharing options...
digip Posted January 28, 2014 Share Posted January 28, 2014 Someone might have been attacking using a DNS flood, or their machine/home router was compromised and the attack run through their IP/bounced off their network but I think it looks more like them just scanning subnet ranges or playing with scanning tools. If you're an ISP, you could try forcing their home IP to reset on the modem if you know the client's mac address, give them a new lease with a new IP. If it continues from the same customer account, either they are using tools to do the DNS scanning or possibly planning attacks, or have a compromised device on their network doing it without their knowledge, but I'm not 100% sure its a DNS attack. Most likely it was a name scan or just an nmap or zone transfer query, even a scan of the subnet range for pointer records to try and find all the IP's belonging to epa.gov but it does seem odd they'd hit the whole range if it weren't intentional. Scanning networks and querying services usually isn't an issue unless it seems like this is happening constantly against one entity, which if it was a DNS flood, this traffic would probably be constant, then I'd say it was an attack more than someone poking around and scanning or playing with some tools. If its constant, then most likely an attack though. As for the "243/0/2", I don't use tcpdump that often, I use wireshark more than anything when monitoring traffic since I'm more a GUI person and just easier to read and understand the output for me personally, so you'd have to read the man pages on tcpdump and see what its formatted output is to know what the "243/0/2" part of the output is. This looks like it returned all the A records though applied to the epa.gov's subnet for a range they own which might have just been a query for all of their IP's related to that subnet without even knowing it was owned by the epa since their main epa.gov IP range is on a whole other subnet(see below), which if they are going to attack them, you should see some more traffic than just DNS data from the same machine against these IP's with scans for open ports/services if they are digging for information on the servers and vulnerable services before an attack of some kind. This looks like they found a subdomain owned by them maybe just by playing with scanning tools against an IP range though, as the "epa.gov" DNS query returns a different subnet all together. Array ( [0] => Array ( [host] => epa.gov [type] => A [ip] => 134.67.21.34 [class] => IN [ttl] => 60 ) [1] => Array ( [host] => epa.gov [type] => NS [target] => yang.epa.gov [class] => IN [ttl] => 80567 ) [2] => Array ( [host] => epa.gov [type] => NS [target] => ying.epa.gov [class] => IN [ttl] => 80567 ) [3] => Array ( [host] => epa.gov [type] => NS [target] => folsom.epa.gov [class] => IN [ttl] => 80567 ) [4] => Array ( [host] => epa.gov [type] => NS [target] => rikers.epa.gov [class] => IN [ttl] => 80567 ) [5] => Array ( [host] => epa.gov [type] => SOA [mname] => ying.epa.gov [rname] => dnsadmin.epa.gov [serial] => 1390885426 [refresh] => 3600 [retry] => 900 [expire] => 1209600 [minimum-ttl] => 600 [class] => IN [ttl] => 43200 ) [6] => Array ( [host] => epa.gov [type] => MX [pri] => 32 [target] => mseive01.rtp.epa.gov [class] => IN [ttl] => 43200 ) [7] => Array ( [host] => epa.gov [type] => MX [pri] => 32 [target] => mseive03.pyd.epa.gov [class] => IN [ttl] => 43200 ) [8] => Array ( [host] => epa.gov [type] => MX [pri] => 15 [target] => mseive11.rtp.epa.gov [class] => IN [ttl] => 43200 ) [9] => Array ( [host] => epa.gov [type] => MX [pri] => 15 [target] => mseive12.rtp.epa.gov [class] => IN [ttl] => 43200 ) [10] => Array ( [host] => epa.gov [type] => TXT [txt] => MS=ms76223147 [entries] => Array ( [0] => MS=ms76223147 ) [class] => IN [ttl] => 3600 ) [11] => Array ( [host] => epa.gov [type] => AAAA [ipv6] => 2620::b12:51:134:67:21:34 [class] => IN [ttl] => 60 ) ) epa.gov has address 134.67.21.34 epa.gov has IPv6 address 2620:0:b12:51:134:67:21:34 epa.gov mail is handled by 32 mseive01.rtp.epa.gov. epa.gov mail is handled by 32 mseive03.pyd.epa.gov. epa.gov mail is handled by 15 mseive11.rtp.epa.gov. epa.gov mail is handled by 15 mseive12.rtp.epa.gov. epa.gov name server rikers.epa.gov. epa.gov name server yang.epa.gov. epa.gov name server folsom.epa.gov. epa.gov name server ying.epa.gov. http://whois.domaintools.com/204.46.43.172 shows it as unassigned.epa.gov and a name scan for the range 204.46.43.1-204.46.43.255 just shows they own that IP space and may be reserved for later use and nothing on those nodes yet. I didn't even scan the whole subnet that they own (204.46.0.0/15) but for whatever reason, someone looks to be poking around their IP ranges, maybe to find more info but because they are on two different subnet ranges, I'm leaning more towards someone just scanning IP ranges. Tool/Test: Name Lookup Scan Date: 01/28/14 09:12:50 Parameters *********** Start Address: 204.46.43.1 End Address: 204.46.43.255 Remove Unresolved: No Results IP Address Resolved Name *************************************************************** 204.46.43.1 unassigned.epa.gov 204.46.43.2 unassigned.epa.gov 204.46.43.3 unassigned.epa.gov 204.46.43.4 unassigned.epa.gov 204.46.43.5 unassigned.epa.gov 204.46.43.6 unassigned.epa.gov 204.46.43.7 unassigned.epa.gov 204.46.43.8 unassigned.epa.gov 204.46.43.9 unassigned.epa.gov 204.46.43.10 unassigned.epa.gov 204.46.43.11 unassigned.epa.gov 204.46.43.12 unassigned.epa.gov 204.46.43.13 unassigned.epa.gov 204.46.43.14 unassigned.epa.gov 204.46.43.15 unassigned.epa.gov 204.46.43.16 unassigned.epa.gov 204.46.43.17 unassigned.epa.gov 204.46.43.18 unassigned.epa.gov 204.46.43.19 unassigned.epa.gov 204.46.43.20 unassigned.epa.gov 204.46.43.21 unassigned.epa.gov 204.46.43.22 unassigned.epa.gov 204.46.43.23 unassigned.epa.gov 204.46.43.24 unassigned.epa.gov 204.46.43.25 unassigned.epa.gov 204.46.43.26 unassigned.epa.gov 204.46.43.27 unassigned.epa.gov 204.46.43.28 unassigned.epa.gov 204.46.43.29 unassigned.epa.gov 204.46.43.30 unassigned.epa.gov 204.46.43.31 unassigned.epa.gov 204.46.43.32 unassigned.epa.gov 204.46.43.33 unassigned.epa.gov 204.46.43.34 unassigned.epa.gov 204.46.43.35 unassigned.epa.gov 204.46.43.36 unassigned.epa.gov 204.46.43.37 unassigned.epa.gov 204.46.43.38 unassigned.epa.gov 204.46.43.39 unassigned.epa.gov 204.46.43.40 unassigned.epa.gov 204.46.43.41 unassigned.epa.gov 204.46.43.42 unassigned.epa.gov 204.46.43.43 unassigned.epa.gov 204.46.43.44 unassigned.epa.gov 204.46.43.45 unassigned.epa.gov 204.46.43.46 unassigned.epa.gov 204.46.43.47 unassigned.epa.gov 204.46.43.48 unassigned.epa.gov 204.46.43.49 unassigned.epa.gov 204.46.43.50 unassigned.epa.gov 204.46.43.51 unassigned.epa.gov 204.46.43.52 unassigned.epa.gov 204.46.43.53 unassigned.epa.gov 204.46.43.54 unassigned.epa.gov 204.46.43.55 unassigned.epa.gov 204.46.43.56 unassigned.epa.gov 204.46.43.57 unassigned.epa.gov 204.46.43.58 unassigned.epa.gov 204.46.43.59 unassigned.epa.gov 204.46.43.60 unassigned.epa.gov 204.46.43.61 unassigned.epa.gov 204.46.43.62 unassigned.epa.gov 204.46.43.63 unassigned.epa.gov 204.46.43.64 unassigned.epa.gov 204.46.43.65 unassigned.epa.gov 204.46.43.66 unassigned.epa.gov 204.46.43.67 unassigned.epa.gov 204.46.43.68 unassigned.epa.gov 204.46.43.69 unassigned.epa.gov 204.46.43.70 unassigned.epa.gov 204.46.43.71 unassigned.epa.gov 204.46.43.72 unassigned.epa.gov 204.46.43.73 unassigned.epa.gov 204.46.43.74 unassigned.epa.gov 204.46.43.75 unassigned.epa.gov 204.46.43.76 unassigned.epa.gov 204.46.43.77 unassigned.epa.gov 204.46.43.78 unassigned.epa.gov 204.46.43.79 unassigned.epa.gov 204.46.43.80 unassigned.epa.gov 204.46.43.81 unassigned.epa.gov 204.46.43.82 unassigned.epa.gov 204.46.43.83 unassigned.epa.gov 204.46.43.84 unassigned.epa.gov 204.46.43.85 unassigned.epa.gov 204.46.43.86 unassigned.epa.gov 204.46.43.87 unassigned.epa.gov 204.46.43.88 unassigned.epa.gov 204.46.43.89 unassigned.epa.gov 204.46.43.90 unassigned.epa.gov 204.46.43.91 unassigned.epa.gov 204.46.43.92 unassigned.epa.gov 204.46.43.93 unassigned.epa.gov 204.46.43.94 unassigned.epa.gov 204.46.43.95 unassigned.epa.gov 204.46.43.96 unassigned.epa.gov 204.46.43.97 unassigned.epa.gov 204.46.43.98 unassigned.epa.gov 204.46.43.99 unassigned.epa.gov 204.46.43.100 unassigned.epa.gov 204.46.43.101 unassigned.epa.gov 204.46.43.102 unassigned.epa.gov 204.46.43.103 unassigned.epa.gov 204.46.43.104 unassigned.epa.gov 204.46.43.105 unassigned.epa.gov 204.46.43.106 unassigned.epa.gov 204.46.43.107 unassigned.epa.gov 204.46.43.108 unassigned.epa.gov 204.46.43.109 unassigned.epa.gov 204.46.43.110 unassigned.epa.gov 204.46.43.111 unassigned.epa.gov 204.46.43.112 unassigned.epa.gov 204.46.43.113 unassigned.epa.gov 204.46.43.114 unassigned.epa.gov 204.46.43.115 unassigned.epa.gov 204.46.43.116 unassigned.epa.gov 204.46.43.117 unassigned.epa.gov 204.46.43.118 unassigned.epa.gov 204.46.43.119 unassigned.epa.gov 204.46.43.120 unassigned.epa.gov 204.46.43.121 unassigned.epa.gov 204.46.43.122 unassigned.epa.gov 204.46.43.123 unassigned.epa.gov 204.46.43.124 unassigned.epa.gov 204.46.43.125 unassigned.epa.gov 204.46.43.126 unassigned.epa.gov 204.46.43.127 unassigned.epa.gov 204.46.43.128 unassigned.epa.gov 204.46.43.129 unassigned.epa.gov 204.46.43.130 unassigned.epa.gov 204.46.43.131 unassigned.epa.gov 204.46.43.132 unassigned.epa.gov 204.46.43.133 unassigned.epa.gov 204.46.43.134 unassigned.epa.gov 204.46.43.135 unassigned.epa.gov 204.46.43.136 unassigned.epa.gov 204.46.43.137 unassigned.epa.gov 204.46.43.138 unassigned.epa.gov 204.46.43.139 unassigned.epa.gov 204.46.43.140 unassigned.epa.gov 204.46.43.141 unassigned.epa.gov 204.46.43.142 unassigned.epa.gov 204.46.43.143 unassigned.epa.gov 204.46.43.144 unassigned.epa.gov 204.46.43.145 unassigned.epa.gov 204.46.43.146 unassigned.epa.gov 204.46.43.147 unassigned.epa.gov 204.46.43.148 unassigned.epa.gov 204.46.43.149 unassigned.epa.gov 204.46.43.150 unassigned.epa.gov 204.46.43.151 unassigned.epa.gov 204.46.43.152 unassigned.epa.gov 204.46.43.153 unassigned.epa.gov 204.46.43.154 unassigned.epa.gov 204.46.43.155 unassigned.epa.gov 204.46.43.156 unassigned.epa.gov 204.46.43.157 unassigned.epa.gov 204.46.43.158 unassigned.epa.gov 204.46.43.159 unassigned.epa.gov 204.46.43.160 unassigned.epa.gov 204.46.43.161 unassigned.epa.gov 204.46.43.162 unassigned.epa.gov 204.46.43.163 unassigned.epa.gov 204.46.43.164 unassigned.epa.gov 204.46.43.165 unassigned.epa.gov 204.46.43.166 unassigned.epa.gov 204.46.43.167 unassigned.epa.gov 204.46.43.168 unassigned.epa.gov 204.46.43.169 unassigned.epa.gov 204.46.43.170 unassigned.epa.gov 204.46.43.171 unassigned.epa.gov 204.46.43.172 unassigned.epa.gov 204.46.43.173 unassigned.epa.gov 204.46.43.174 unassigned.epa.gov 204.46.43.175 unassigned.epa.gov 204.46.43.176 unassigned.epa.gov 204.46.43.177 unassigned.epa.gov 204.46.43.178 unassigned.epa.gov 204.46.43.179 unassigned.epa.gov 204.46.43.180 unassigned.epa.gov 204.46.43.181 unassigned.epa.gov 204.46.43.182 unassigned.epa.gov 204.46.43.183 unassigned.epa.gov 204.46.43.184 unassigned.epa.gov 204.46.43.185 unassigned.epa.gov 204.46.43.186 unassigned.epa.gov 204.46.43.187 unassigned.epa.gov 204.46.43.188 unassigned.epa.gov 204.46.43.189 unassigned.epa.gov 204.46.43.190 unassigned.epa.gov 204.46.43.191 unassigned.epa.gov 204.46.43.192 unassigned.epa.gov 204.46.43.193 unassigned.epa.gov 204.46.43.194 unassigned.epa.gov 204.46.43.195 unassigned.epa.gov 204.46.43.196 unassigned.epa.gov 204.46.43.197 unassigned.epa.gov 204.46.43.198 unassigned.epa.gov 204.46.43.199 unassigned.epa.gov 204.46.43.200 unassigned.epa.gov 204.46.43.201 unassigned.epa.gov 204.46.43.202 unassigned.epa.gov 204.46.43.203 unassigned.epa.gov 204.46.43.204 unassigned.epa.gov 204.46.43.205 unassigned.epa.gov 204.46.43.206 unassigned.epa.gov 204.46.43.207 unassigned.epa.gov 204.46.43.208 unassigned.epa.gov 204.46.43.209 unassigned.epa.gov 204.46.43.210 unassigned.epa.gov 204.46.43.211 unassigned.epa.gov 204.46.43.212 unassigned.epa.gov 204.46.43.213 unassigned.epa.gov 204.46.43.214 unassigned.epa.gov 204.46.43.215 unassigned.epa.gov 204.46.43.216 unassigned.epa.gov 204.46.43.217 unassigned.epa.gov 204.46.43.218 unassigned.epa.gov 204.46.43.219 unassigned.epa.gov 204.46.43.220 unassigned.epa.gov 204.46.43.221 unassigned.epa.gov 204.46.43.222 unassigned.epa.gov 204.46.43.223 unassigned.epa.gov 204.46.43.224 unassigned.epa.gov 204.46.43.225 unassigned.epa.gov 204.46.43.226 unassigned.epa.gov 204.46.43.227 unassigned.epa.gov 204.46.43.228 unassigned.epa.gov 204.46.43.229 unassigned.epa.gov 204.46.43.230 unassigned.epa.gov 204.46.43.231 unassigned.epa.gov 204.46.43.232 unassigned.epa.gov 204.46.43.233 unassigned.epa.gov 204.46.43.234 unassigned.epa.gov 204.46.43.235 unassigned.epa.gov 204.46.43.236 unassigned.epa.gov 204.46.43.237 unassigned.epa.gov 204.46.43.238 unassigned.epa.gov 204.46.43.239 unassigned.epa.gov 204.46.43.240 unassigned.epa.gov 204.46.43.241 unassigned.epa.gov 204.46.43.242 unassigned.epa.gov 204.46.43.243 unassigned.epa.gov 204.46.43.244 unassigned.epa.gov 204.46.43.245 unassigned.epa.gov 204.46.43.246 unassigned.epa.gov 204.46.43.247 unassigned.epa.gov 204.46.43.248 unassigned.epa.gov 204.46.43.249 unassigned.epa.gov 204.46.43.250 unassigned.epa.gov 204.46.43.251 unassigned.epa.gov 204.46.43.252 unassigned.epa.gov 204.46.43.253 unassigned.epa.gov 204.46.43.254 unassigned.epa.gov 204.46.43.255 unassigned.epa.gov Scanning in general is not usually a crime and there are tools now to scan the entire internet in like 15 minutes (masscan), but if you see that 64.147.113.139.static.nyinternet.net is doing more than just scans, for whatever reason you have to be monitoring that node, then I'd keep an eye on what it is they do against the .gov site(s) and if any real attacks take place. It may just be someone experimenting, learning and scanning IP ranges for personal use, which is harmless until they do something malicious against an actual IP with some form of attack, but again, they may not even know their node is being used to scan the range, which means they may have been compromised or being bounced off of without their own knowledge. Basically, this is all speculation based on the little amount of info you shared, and for where you work, you probably can't share, nor should share, more than what you already have though, since the person may not have done anything wrong or malicious without more proof of some kind of attack or info, which if thats the case, report it, don't post their home IP on the forums. Quote Link to comment Share on other sites More sharing options...
Lost In Cyberia Posted January 29, 2014 Author Share Posted January 29, 2014 Thanks digip! I appreciate the lengthy post, and it was answered earlier by hexophrinic, that the 243/0/2 response was the number of records that was returned, from 0 authoritative and 2 non-authoritative responses Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.