Jump to content

TCPDUMP Strange Queries..


Lost In Cyberia
 Share

Recommended Posts

Hello everyone, so I'm getting this tcpdump, and it looks like..quite a mess... Can anyone decipher this? I can tell that one IP is requesting DNS info? but I'm having trouble finding out what some of the fields actually mean..


19:44:50.707637 IP 66.81.1.252.53 > 64.147.113.139.28638: 52313 243/2/7 SOA, A 204.46.43.46, A 204.46.43.47, A 204.46.43.48, A 204.46.43.49, A 204.46.43.50, A 204.46.43.51, A 204.46.43.52, A 204.46.43.53, A 204.46.43.54, A 204.46.43.55, A 204.46.43.56, A 204.46.43.57, A 204.46.43.58, A 204.46.43.59, A 204.46.43.60, A 204.46.43.61, A 204.46.43.62, A 204.46.43.63, A 204.46.43.64, A 204.46.43.65

I know the first set of numbers if the time stamp...the 2nd is the IP address..and the next is the destination IP...with the port number after the last octet of the IP What comes next the '243/2/7 is what confuses me... I know SOA is the start of authority but what does it all mean together? I have a huuuge flood of traffic with these type of output.. I know the A's represent A records, but are these being requested or sent? Can some one break this down for me in what is actually happening here?

Link to comment
Share on other sites

Check your servers DNS settings and if its secured against Zone Transfers. If not, they could be scanning your(guess corporate/work) lan for internal addresses for the subnet behind NAT, although the range looks like addresses you'd see on the internet unless you for some reason chose that range for an internal network.

204.46.43.65 for example, is epa.gov on the internet side, but if its on a network behind NAT it could be anything. Its possible your machine is being used to scan another network such as the epa and using you to bounce off of, which would be a bad thing and most likely you have an intruder on your internal network scanning external networks, or the machine you're on is compromised, or, for whatever reason, people are just visiting the epa and you're seeing their traffic to the site and the normal DNS requests the machine is making to their site. They seem to return unassigned.epa.gov if you try to resolve them, so maybe someone visited epa.gov and they have multiple IP's for redundancy and you got all of them back for whatever reason in the request for the site.

Edited by digip
Link to comment
Share on other sites

Thanks for the response digip. We are behind NAT, but this range is not used by use. So it's definitely an external IP. The segment of traffic I posted was a mere drop in the bucket of the traffic that was flooded to the client's machine. (We're an ISP and saw a ton of traffic slam the client)

Another tiny snippet:

19:44:50.708965 IP 203.113.165.27.53 > 64.147.113.139.33526: 52313| 243/0/2 A 204.46.43.172, A 204.46.43.173, A 204.46.43.174, A 204.46.43.175, A 204.46.43.176, A 204.46.43.177, A 204.46.43.178, A 204.46.43.179, A 204.46.43.180, A 204.46.43.181, A 204.46.43.182, A 204.46.43.183, A 204.46.43.184, A 204.46.43.185, A 204.46.43.186, A 204.46.43.187, A 204.46.43.188, A 204.46.43.189, A 204.46.43.190, A 204.46.43.191, A 204.46.43.192, A 204.46.43.193, A 204.46.43.194, A 204.46.43.195, A 204.46.43.196, A 204.46.43.197, A 204.46.43.198, A 204.46.43.199, A 204.46.43.200, A 204.46.43.201, A 204.46.43.202, A 204.46.43.203, A 204.46.43.204, A 204.46.43.205, A 204.46.43.206, A 204.46.43.207, A 204.46.43.208, A 204.46.43.209,

So is the 64.147.113.139 machine the actual DNS server? What's the meaning of the "243/0/2" ?

Link to comment
Share on other sites

Thanks for the response digip. We are behind NAT, but this range is not used by use. So it's definitely an external IP. The segment of traffic I posted was a mere drop in the bucket of the traffic that was flooded to the client's machine. (We're an ISP and saw a ton of traffic slam the client)

Another tiny snippet:

19:44:50.708965 IP 203.113.165.27.53 > 64.147.113.139.33526: 52313| 243/0/2 A 204.46.43.172, A 204.46.43.173, A 204.46.43.174, A 204.46.43.175, A 204.46.43.176, A 204.46.43.177, A 204.46.43.178, A 204.46.43.179, A 204.46.43.180, A 204.46.43.181, A 204.46.43.182, A 204.46.43.183, A 204.46.43.184, A 204.46.43.185, A 204.46.43.186, A 204.46.43.187, A 204.46.43.188, A 204.46.43.189, A 204.46.43.190, A 204.46.43.191, A 204.46.43.192, A 204.46.43.193, A 204.46.43.194, A 204.46.43.195, A 204.46.43.196, A 204.46.43.197, A 204.46.43.198, A 204.46.43.199, A 204.46.43.200, A 204.46.43.201, A 204.46.43.202, A 204.46.43.203, A 204.46.43.204, A 204.46.43.205, A 204.46.43.206, A 204.46.43.207, A 204.46.43.208, A 204.46.43.209,

So is the 64.147.113.139 machine the actual DNS server? What's the meaning of the "243/0/2" ?

243 records answers, 0 authoritative responses, 2 non-authoritative responses. This means that one small query returned a very large response, thus the amplification aspect.

Link to comment
Share on other sites

Alright... so the "attacked" IP, the 64.147.113.139, had a flood of records (243 apparently) sent to it, by the most likely spoofed IP of 203.113.165.27. Most likely this IP sent out a whole bunch of DNS requests to recursive name servers, telling them all to give a response back to 64.147.113.139? Do I have this right?

Now did the attack specify which IP's it wanted the DNS servers to send, it seems like a huge range or did they just do something like 204.46.43.* to grab the entire range?

Link to comment
Share on other sites

Someone might have been attacking using a DNS flood, or their machine/home router was compromised and the attack run through their IP/bounced off their network but I think it looks more like them just scanning subnet ranges or playing with scanning tools. If you're an ISP, you could try forcing their home IP to reset on the modem if you know the client's mac address, give them a new lease with a new IP. If it continues from the same customer account, either they are using tools to do the DNS scanning or possibly planning attacks, or have a compromised device on their network doing it without their knowledge, but I'm not 100% sure its a DNS attack. Most likely it was a name scan or just an nmap or zone transfer query, even a scan of the subnet range for pointer records to try and find all the IP's belonging to epa.gov but it does seem odd they'd hit the whole range if it weren't intentional. Scanning networks and querying services usually isn't an issue unless it seems like this is happening constantly against one entity, which if it was a DNS flood, this traffic would probably be constant, then I'd say it was an attack more than someone poking around and scanning or playing with some tools. If its constant, then most likely an attack though.

As for the "243/0/2", I don't use tcpdump that often, I use wireshark more than anything when monitoring traffic since I'm more a GUI person and just easier to read and understand the output for me personally, so you'd have to read the man pages on tcpdump and see what its formatted output is to know what the "243/0/2" part of the output is. This looks like it returned all the A records though applied to the epa.gov's subnet for a range they own which might have just been a query for all of their IP's related to that subnet without even knowing it was owned by the epa since their main epa.gov IP range is on a whole other subnet(see below), which if they are going to attack them, you should see some more traffic than just DNS data from the same machine against these IP's with scans for open ports/services if they are digging for information on the servers and vulnerable services before an attack of some kind. This looks like they found a subdomain owned by them maybe just by playing with scanning tools against an IP range though, as the "epa.gov" DNS query returns a different subnet all together.

Array
(
    [0] => Array
        (
            [host] => epa.gov
            [type] => A
            [ip] => 134.67.21.34
            [class] => IN
            [ttl] => 60
        )

    [1] => Array
        (
            [host] => epa.gov
            [type] => NS
            [target] => yang.epa.gov
            [class] => IN
            [ttl] => 80567
        )

    [2] => Array
        (
            [host] => epa.gov
            [type] => NS
            [target] => ying.epa.gov
            [class] => IN
            [ttl] => 80567
        )

    [3] => Array
        (
            [host] => epa.gov
            [type] => NS
            [target] => folsom.epa.gov
            [class] => IN
            [ttl] => 80567
        )

    [4] => Array
        (
            [host] => epa.gov
            [type] => NS
            [target] => rikers.epa.gov
            [class] => IN
            [ttl] => 80567
        )

    [5] => Array
        (
            [host] => epa.gov
            [type] => SOA
            [mname] => ying.epa.gov
            [rname] => dnsadmin.epa.gov
            [serial] => 1390885426
            [refresh] => 3600
            [retry] => 900
            [expire] => 1209600
            [minimum-ttl] => 600
            [class] => IN
            [ttl] => 43200
        )

    [6] => Array
        (
            [host] => epa.gov
            [type] => MX
            [pri] => 32
            [target] => mseive01.rtp.epa.gov
            [class] => IN
            [ttl] => 43200
        )

    [7] => Array
        (
            [host] => epa.gov
            [type] => MX
            [pri] => 32
            [target] => mseive03.pyd.epa.gov
            [class] => IN
            [ttl] => 43200
        )

    [8] => Array
        (
            [host] => epa.gov
            [type] => MX
            [pri] => 15
            [target] => mseive11.rtp.epa.gov
            [class] => IN
            [ttl] => 43200
        )

    [9] => Array
        (
            [host] => epa.gov
            [type] => MX
            [pri] => 15
            [target] => mseive12.rtp.epa.gov
            [class] => IN
            [ttl] => 43200
        )

    [10] => Array
        (
            [host] => epa.gov
            [type] => TXT
            [txt] => MS=ms76223147
            [entries] => Array
                (
                    [0] => MS=ms76223147
                )

            [class] => IN
            [ttl] => 3600
        )

    [11] => Array
        (
            [host] => epa.gov
            [type] => AAAA
            [ipv6] => 2620::b12:51:134:67:21:34
            [class] => IN
            [ttl] => 60
        )

)

epa.gov has address 134.67.21.34
epa.gov has IPv6 address 2620:0:b12:51:134:67:21:34
epa.gov mail is handled by 32 mseive01.rtp.epa.gov.
epa.gov mail is handled by 32 mseive03.pyd.epa.gov.
epa.gov mail is handled by 15 mseive11.rtp.epa.gov.
epa.gov mail is handled by 15 mseive12.rtp.epa.gov.

epa.gov name server rikers.epa.gov.
epa.gov name server yang.epa.gov.
epa.gov name server folsom.epa.gov.
epa.gov name server ying.epa.gov.
http://whois.domaintools.com/204.46.43.172 shows it as unassigned.epa.gov and a name scan for the range 204.46.43.1-204.46.43.255 just shows they own that IP space and may be reserved for later use and nothing on those nodes yet. I didn't even scan the whole subnet that they own (204.46.0.0/15) but for whatever reason, someone looks to be poking around their IP ranges, maybe to find more info but because they are on two different subnet ranges, I'm leaning more towards someone just scanning IP ranges.

Tool/Test: Name Lookup Scan
Date: 01/28/14 09:12:50

Parameters 
*********** 
Start Address: 204.46.43.1 
End Address: 204.46.43.255 
Remove Unresolved: No 

Results
IP Address	 Resolved Name
***************************************************************
204.46.43.1	unassigned.epa.gov
204.46.43.2	unassigned.epa.gov
204.46.43.3	unassigned.epa.gov
204.46.43.4	unassigned.epa.gov
204.46.43.5	unassigned.epa.gov
204.46.43.6	unassigned.epa.gov
204.46.43.7	unassigned.epa.gov
204.46.43.8	unassigned.epa.gov
204.46.43.9	unassigned.epa.gov
204.46.43.10	unassigned.epa.gov
204.46.43.11	unassigned.epa.gov
204.46.43.12	unassigned.epa.gov
204.46.43.13	unassigned.epa.gov
204.46.43.14	unassigned.epa.gov
204.46.43.15	unassigned.epa.gov
204.46.43.16	unassigned.epa.gov
204.46.43.17	unassigned.epa.gov
204.46.43.18	unassigned.epa.gov
204.46.43.19	unassigned.epa.gov
204.46.43.20	unassigned.epa.gov
204.46.43.21	unassigned.epa.gov
204.46.43.22	unassigned.epa.gov
204.46.43.23	unassigned.epa.gov
204.46.43.24	unassigned.epa.gov
204.46.43.25	unassigned.epa.gov
204.46.43.26	unassigned.epa.gov
204.46.43.27	unassigned.epa.gov
204.46.43.28	unassigned.epa.gov
204.46.43.29	unassigned.epa.gov
204.46.43.30	unassigned.epa.gov
204.46.43.31	unassigned.epa.gov
204.46.43.32	unassigned.epa.gov
204.46.43.33	unassigned.epa.gov
204.46.43.34	unassigned.epa.gov
204.46.43.35	unassigned.epa.gov
204.46.43.36	unassigned.epa.gov
204.46.43.37	unassigned.epa.gov
204.46.43.38	unassigned.epa.gov
204.46.43.39	unassigned.epa.gov
204.46.43.40	unassigned.epa.gov
204.46.43.41	unassigned.epa.gov
204.46.43.42	unassigned.epa.gov
204.46.43.43	unassigned.epa.gov
204.46.43.44	unassigned.epa.gov
204.46.43.45	unassigned.epa.gov
204.46.43.46	unassigned.epa.gov
204.46.43.47	unassigned.epa.gov
204.46.43.48	unassigned.epa.gov
204.46.43.49	unassigned.epa.gov
204.46.43.50	unassigned.epa.gov
204.46.43.51	unassigned.epa.gov
204.46.43.52	unassigned.epa.gov
204.46.43.53	unassigned.epa.gov
204.46.43.54	unassigned.epa.gov
204.46.43.55	unassigned.epa.gov
204.46.43.56	unassigned.epa.gov
204.46.43.57	unassigned.epa.gov
204.46.43.58	unassigned.epa.gov
204.46.43.59	unassigned.epa.gov
204.46.43.60	unassigned.epa.gov
204.46.43.61	unassigned.epa.gov
204.46.43.62	unassigned.epa.gov
204.46.43.63	unassigned.epa.gov
204.46.43.64	unassigned.epa.gov
204.46.43.65	unassigned.epa.gov
204.46.43.66	unassigned.epa.gov
204.46.43.67	unassigned.epa.gov
204.46.43.68	unassigned.epa.gov
204.46.43.69	unassigned.epa.gov
204.46.43.70	unassigned.epa.gov
204.46.43.71	unassigned.epa.gov
204.46.43.72	unassigned.epa.gov
204.46.43.73	unassigned.epa.gov
204.46.43.74	unassigned.epa.gov
204.46.43.75	unassigned.epa.gov
204.46.43.76	unassigned.epa.gov
204.46.43.77	unassigned.epa.gov
204.46.43.78	unassigned.epa.gov
204.46.43.79	unassigned.epa.gov
204.46.43.80	unassigned.epa.gov
204.46.43.81	unassigned.epa.gov
204.46.43.82	unassigned.epa.gov
204.46.43.83	unassigned.epa.gov
204.46.43.84	unassigned.epa.gov
204.46.43.85	unassigned.epa.gov
204.46.43.86	unassigned.epa.gov
204.46.43.87	unassigned.epa.gov
204.46.43.88	unassigned.epa.gov
204.46.43.89	unassigned.epa.gov
204.46.43.90	unassigned.epa.gov
204.46.43.91	unassigned.epa.gov
204.46.43.92	unassigned.epa.gov
204.46.43.93	unassigned.epa.gov
204.46.43.94	unassigned.epa.gov
204.46.43.95	unassigned.epa.gov
204.46.43.96	unassigned.epa.gov
204.46.43.97	unassigned.epa.gov
204.46.43.98	unassigned.epa.gov
204.46.43.99	unassigned.epa.gov
204.46.43.100	unassigned.epa.gov
204.46.43.101	unassigned.epa.gov
204.46.43.102	unassigned.epa.gov
204.46.43.103	unassigned.epa.gov
204.46.43.104	unassigned.epa.gov
204.46.43.105	unassigned.epa.gov
204.46.43.106	unassigned.epa.gov
204.46.43.107	unassigned.epa.gov
204.46.43.108	unassigned.epa.gov
204.46.43.109	unassigned.epa.gov
204.46.43.110	unassigned.epa.gov
204.46.43.111	unassigned.epa.gov
204.46.43.112	unassigned.epa.gov
204.46.43.113	unassigned.epa.gov
204.46.43.114	unassigned.epa.gov
204.46.43.115	unassigned.epa.gov
204.46.43.116	unassigned.epa.gov
204.46.43.117	unassigned.epa.gov
204.46.43.118	unassigned.epa.gov
204.46.43.119	unassigned.epa.gov
204.46.43.120	unassigned.epa.gov
204.46.43.121	unassigned.epa.gov
204.46.43.122	unassigned.epa.gov
204.46.43.123	unassigned.epa.gov
204.46.43.124	unassigned.epa.gov
204.46.43.125	unassigned.epa.gov
204.46.43.126	unassigned.epa.gov
204.46.43.127	unassigned.epa.gov
204.46.43.128	unassigned.epa.gov
204.46.43.129	unassigned.epa.gov
204.46.43.130	unassigned.epa.gov
204.46.43.131	unassigned.epa.gov
204.46.43.132	unassigned.epa.gov
204.46.43.133	unassigned.epa.gov
204.46.43.134	unassigned.epa.gov
204.46.43.135	unassigned.epa.gov
204.46.43.136	unassigned.epa.gov
204.46.43.137	unassigned.epa.gov
204.46.43.138	unassigned.epa.gov
204.46.43.139	unassigned.epa.gov
204.46.43.140	unassigned.epa.gov
204.46.43.141	unassigned.epa.gov
204.46.43.142	unassigned.epa.gov
204.46.43.143	unassigned.epa.gov
204.46.43.144	unassigned.epa.gov
204.46.43.145	unassigned.epa.gov
204.46.43.146	unassigned.epa.gov
204.46.43.147	unassigned.epa.gov
204.46.43.148	unassigned.epa.gov
204.46.43.149	unassigned.epa.gov
204.46.43.150	unassigned.epa.gov
204.46.43.151	unassigned.epa.gov
204.46.43.152	unassigned.epa.gov
204.46.43.153	unassigned.epa.gov
204.46.43.154	unassigned.epa.gov
204.46.43.155	unassigned.epa.gov
204.46.43.156	unassigned.epa.gov
204.46.43.157	unassigned.epa.gov
204.46.43.158	unassigned.epa.gov
204.46.43.159	unassigned.epa.gov
204.46.43.160	unassigned.epa.gov
204.46.43.161	unassigned.epa.gov
204.46.43.162	unassigned.epa.gov
204.46.43.163	unassigned.epa.gov
204.46.43.164	unassigned.epa.gov
204.46.43.165	unassigned.epa.gov
204.46.43.166	unassigned.epa.gov
204.46.43.167	unassigned.epa.gov
204.46.43.168	unassigned.epa.gov
204.46.43.169	unassigned.epa.gov
204.46.43.170	unassigned.epa.gov
204.46.43.171	unassigned.epa.gov
204.46.43.172	unassigned.epa.gov
204.46.43.173	unassigned.epa.gov
204.46.43.174	unassigned.epa.gov
204.46.43.175	unassigned.epa.gov
204.46.43.176	unassigned.epa.gov
204.46.43.177	unassigned.epa.gov
204.46.43.178	unassigned.epa.gov
204.46.43.179	unassigned.epa.gov
204.46.43.180	unassigned.epa.gov
204.46.43.181	unassigned.epa.gov
204.46.43.182	unassigned.epa.gov
204.46.43.183	unassigned.epa.gov
204.46.43.184	unassigned.epa.gov
204.46.43.185	unassigned.epa.gov
204.46.43.186	unassigned.epa.gov
204.46.43.187	unassigned.epa.gov
204.46.43.188	unassigned.epa.gov
204.46.43.189	unassigned.epa.gov
204.46.43.190	unassigned.epa.gov
204.46.43.191	unassigned.epa.gov
204.46.43.192	unassigned.epa.gov
204.46.43.193	unassigned.epa.gov
204.46.43.194	unassigned.epa.gov
204.46.43.195	unassigned.epa.gov
204.46.43.196	unassigned.epa.gov
204.46.43.197	unassigned.epa.gov
204.46.43.198	unassigned.epa.gov
204.46.43.199	unassigned.epa.gov
204.46.43.200	unassigned.epa.gov
204.46.43.201	unassigned.epa.gov
204.46.43.202	unassigned.epa.gov
204.46.43.203	unassigned.epa.gov
204.46.43.204	unassigned.epa.gov
204.46.43.205	unassigned.epa.gov
204.46.43.206	unassigned.epa.gov
204.46.43.207	unassigned.epa.gov
204.46.43.208	unassigned.epa.gov
204.46.43.209	unassigned.epa.gov
204.46.43.210	unassigned.epa.gov
204.46.43.211	unassigned.epa.gov
204.46.43.212	unassigned.epa.gov
204.46.43.213	unassigned.epa.gov
204.46.43.214	unassigned.epa.gov
204.46.43.215	unassigned.epa.gov
204.46.43.216	unassigned.epa.gov
204.46.43.217	unassigned.epa.gov
204.46.43.218	unassigned.epa.gov
204.46.43.219	unassigned.epa.gov
204.46.43.220	unassigned.epa.gov
204.46.43.221	unassigned.epa.gov
204.46.43.222	unassigned.epa.gov
204.46.43.223	unassigned.epa.gov
204.46.43.224	unassigned.epa.gov
204.46.43.225	unassigned.epa.gov
204.46.43.226	unassigned.epa.gov
204.46.43.227	unassigned.epa.gov
204.46.43.228	unassigned.epa.gov
204.46.43.229	unassigned.epa.gov
204.46.43.230	unassigned.epa.gov
204.46.43.231	unassigned.epa.gov
204.46.43.232	unassigned.epa.gov
204.46.43.233	unassigned.epa.gov
204.46.43.234	unassigned.epa.gov
204.46.43.235	unassigned.epa.gov
204.46.43.236	unassigned.epa.gov
204.46.43.237	unassigned.epa.gov
204.46.43.238	unassigned.epa.gov
204.46.43.239	unassigned.epa.gov
204.46.43.240	unassigned.epa.gov
204.46.43.241	unassigned.epa.gov
204.46.43.242	unassigned.epa.gov
204.46.43.243	unassigned.epa.gov
204.46.43.244	unassigned.epa.gov
204.46.43.245	unassigned.epa.gov
204.46.43.246	unassigned.epa.gov
204.46.43.247	unassigned.epa.gov
204.46.43.248	unassigned.epa.gov
204.46.43.249	unassigned.epa.gov
204.46.43.250	unassigned.epa.gov
204.46.43.251	unassigned.epa.gov
204.46.43.252	unassigned.epa.gov
204.46.43.253	unassigned.epa.gov
204.46.43.254	unassigned.epa.gov
204.46.43.255	unassigned.epa.gov

Scanning in general is not usually a crime and there are tools now to scan the entire internet in like 15 minutes (masscan), but if you see that 64.147.113.139.static.nyinternet.net is doing more than just scans, for whatever reason you have to be monitoring that node, then I'd keep an eye on what it is they do against the .gov site(s) and if any real attacks take place. It may just be someone experimenting, learning and scanning IP ranges for personal use, which is harmless until they do something malicious against an actual IP with some form of attack, but again, they may not even know their node is being used to scan the range, which means they may have been compromised or being bounced off of without their own knowledge.

Basically, this is all speculation based on the little amount of info you shared, and for where you work, you probably can't share, nor should share, more than what you already have though, since the person may not have done anything wrong or malicious without more proof of some kind of attack or info, which if thats the case, report it, don't post their home IP on the forums.

Link to comment
Share on other sites

Thanks digip! I appreciate the lengthy post, and it was answered earlier by hexophrinic, that the 243/0/2 response was

the number of records that was returned, from 0 authoritative and 2 non-authoritative responses

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...