HTML content in TCP packets to my DNS service.
Eric A. Hall
ehall at ehsco.com
Tue Jun 27 19:40:20 UTC 2000
You might want to contact an admin at the source and see what they're
doing. Maybe they stumbled over a url with :53 on the end of it. If
nothing else, they'll know that you know.
rhys at my-deja.com wrote:
>
> I've been logging some strange hits on my DNS servers, for TCP
> connections to port 53. These hits are from a number of source IP
> addresses around the world, none of which are secondary servers for my
> domain.
>
> The following example shows a typical session, and whilst the packet
> content changes, the handshake steps, packet sizes and TTLs shown here
> remain constant. The data content changes, but seems HTML based,
> with "HTTP" and "GET /"'s appearing in many of the *R* and *R*A*
> packets.
>
> This is odd.
>
> The frequency of hits make it look like an automated process. The
> content of the Reset Reset/Ack packets is presumably semi-random (and
> meaningless) content, but possibly a clue as to what
> process/application is initiating this. If it wasn't for the HTML
> content of the reset packets, and the pattern to the conversations
> (many such connections over a fourty minute period this morning) I'd
> assume it was some sort of nmap polling process (if this does turn out
> to be non-DNS/BIND related (i.e. something just picking on port 53)
> then apologies to the forum).
>
> Anyone have any suggestions on this?
>
> Rhys
> ----------------
>
> [**] TCP connection to DNS server [**]
> 06/27-07:37:49.653930 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
> TCP TTL:233 TOS:0x0 ID:63401
> **S***** Seq: 0x771BE074 Ack: 0x0 Win: 0x800
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>
> [**] TCP connection From DNS server [**]
> 06/27-07:37:49.654128 xxx.xxx.125.4:53 -> xxx.211.187.254:3501
> TCP TTL:64 TOS:0x0 ID:18035 DF
> **S***A* Seq: 0xD4EF228C Ack: 0x771BE075 Win: 0x7DA0
> TCP Options => MSS: 536
> 02 18 ..
>
> [**] TCP connection To DNS server [**]
> 06/27-07:37:50.269171 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
> TCP TTL:42 TOS:0x0 ID:50354
> ****R*** Seq: 0x771BE075 Ack: 0x0 Win: 0x0
> 02 04 05 B4 2F 74 ..../t
>
> [**] TCP connection To DNS server [**]
> 06/27-07:37:50.271973 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
> TCP TTL:233 TOS:0x0 ID:33463
> ****R*A* Seq: 0x771BE075 Ack: 0xD4EF228D Win: 0x800
> 48 54 54 50 2F 31 HTTP/1
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
More information about the bind-users
mailing list