Re: Strange traffic from ISP dns server
On Sun, 13 Jan 2002, Peter [ISO-8859-1] Jצnsson wrote:
> Hi!
>
> Im running snort om my firewall and it keeps catching connections from
> one of my ISP's DNS servers. Im quite sure this traffic is legit but it
> has been bugging me for while what it's there for. Since its coming from
> port 53 Im guessing that it has something todo with DNS. My ISP assigns
> a hostname ( ex. h106n2fls32o852.telia.com ) to my machine when I lease
> a IP-address, could this just be that they are checking if my IP-address
> matches the IP-address assigned the hostname it their records?
>
> Jan 10 19:46:04 mars snort: ShockRave: 10.0.0.1:53 -> <my-ip>:1981
> Jan 10 20:03:12 mars snort: Back Door: 10.0.0.1:53 -> <my-ip>:1999
> Jan 10 20:03:13 mars snort: Trojan Cow: 10.0.0.1:53 -> <my-ip>:2001
> Jan 10 20:03:23 mars snort: Ripper Pro: 10.0.0.1:53 -> <my-ip>:2023
> Jan 10 20:16:24 mars snort: Bugs: 10.0.0.1:53 -> <my-ip>:2115
> Jan 11 02:06:58 mars snort: Striker: 10.0.0.1:53 -> <my-ip>:2565
> Jan 11 15:56:25 mars snort: Phineas Phucker: 10.0.0.1:53 -> <my-ip>:2801
> Jan 11 18:04:35 mars snort: Rat backdoor: 10.0.0.1:53 -> <my-ip>:2989
> Jan 11 18:09:27 mars snort: WinCrash: 10.0.0.1:53 -> <my-ip>:3024
> Jan 12 19:33:17 mars snort: Deep Throat/Invasor: 10.0.0.1:53 -> <my-ip>:3150
Is 10.0.0.1 your ISP ?!
Those appear like some spoofed packets.
Packets from addresses 10.x.x.x , 172.16-32.x.x and 192.168.x.x should not
come from the internet. Those address ranges are preserved for "private"
networks. Your firewall should generally drop any such packet.
Note that if your local network actually contains such addresses (e.g.:
your home network is a masqueraded one, and uses the range 192.168.0.x)
then you should allow packets of that range from the internal interface.
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir
Reply to: