HTML content in TCP packets to my DNS service.

rhys at my-deja.com rhys at my-deja.com
Tue Jun 27 10:57:29 UTC 2000 

I've been logging some strange hits on my DNS servers, for TCP
connections to port 53. These hits are from a number of source IP
addresses around the world, none of which are secondary servers for my
domain.

The following example shows a typical session, and whilst the packet
content changes, the handshake steps, packet sizes and TTLs shown here
remain constant. The data content changes, but seems HTML based,
with "HTTP" and "GET /"'s appearing in many of the *R* and *R*A*
packets.

This is odd.

The frequency of hits make it look like an automated process. The
content of the Reset Reset/Ack packets is presumably semi-random (and
meaningless) content, but possibly a clue as to what
process/application is initiating this. If it wasn't for the HTML
content of the reset packets, and the pattern to the conversations
(many such connections over a fourty minute period this morning) I'd
assume it was some sort of nmap polling process (if this does turn out
to be non-DNS/BIND related (i.e. something just picking on port 53)
then apologies to the forum).

Anyone have any suggestions on this?

Rhys
----------------

[**] TCP connection to DNS server [**]
06/27-07:37:49.653930 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
TCP TTL:233 TOS:0x0 ID:63401
**S***** Seq: 0x771BE074   Ack: 0x0   Win: 0x800
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

[**] TCP connection From DNS server [**]
06/27-07:37:49.654128 xxx.xxx.125.4:53 -> xxx.211.187.254:3501
TCP TTL:64 TOS:0x0 ID:18035  DF
**S***A* Seq: 0xD4EF228C   Ack: 0x771BE075   Win: 0x7DA0
TCP Options => MSS: 536
02 18                                            ..

[**] TCP connection To DNS server [**]
06/27-07:37:50.269171 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
TCP TTL:42 TOS:0x0 ID:50354
****R*** Seq: 0x771BE075   Ack: 0x0   Win: 0x0
02 04 05 B4 2F 74                                ..../t

[**] TCP connection To DNS server [**]
06/27-07:37:50.271973 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
TCP TTL:233 TOS:0x0 ID:33463
****R*A* Seq: 0x771BE075   Ack: 0xD4EF228D   Win: 0x800
48 54 54 50 2F 31                                HTTP/1


Sent via Deja.com http://www.deja.com/
Before you buy.

More information about the bind-users mailing list