HTML content in TCP packets to my DNS service.

Eric A. Hall ehall at ehsco.com
Tue Jun 27 19:40:20 UTC 2000 

You might want to contact an admin at the source and see what they're
doing. Maybe they stumbled over a url with :53 on the end of it. If
nothing else, they'll know that you know.


rhys at my-deja.com wrote:
> 
> I've been logging some strange hits on my DNS servers, for TCP
> connections to port 53. These hits are from a number of source IP
> addresses around the world, none of which are secondary servers for my
> domain.
> 
> The following example shows a typical session, and whilst the packet
> content changes, the handshake steps, packet sizes and TTLs shown here
> remain constant. The data content changes, but seems HTML based,
> with "HTTP" and "GET /"'s appearing in many of the *R* and *R*A*
> packets.
> 
> This is odd.
> 
> The frequency of hits make it look like an automated process. The
> content of the Reset Reset/Ack packets is presumably semi-random (and
> meaningless) content, but possibly a clue as to what
> process/application is initiating this. If it wasn't for the HTML
> content of the reset packets, and the pattern to the conversations
> (many such connections over a fourty minute period this morning) I'd
> assume it was some sort of nmap polling process (if this does turn out
> to be non-DNS/BIND related (i.e. something just picking on port 53)
> then apologies to the forum).
> 
> Anyone have any suggestions on this?
> 
> Rhys
> ----------------
> 
> [**] TCP connection to DNS server [**]
> 06/27-07:37:49.653930 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
> TCP TTL:233 TOS:0x0 ID:63401
> **S***** Seq: 0x771BE074   Ack: 0x0   Win: 0x800
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 
> [**] TCP connection From DNS server [**]
> 06/27-07:37:49.654128 xxx.xxx.125.4:53 -> xxx.211.187.254:3501
> TCP TTL:64 TOS:0x0 ID:18035  DF
> **S***A* Seq: 0xD4EF228C   Ack: 0x771BE075   Win: 0x7DA0
> TCP Options => MSS: 536
> 02 18                                            ..
> 
> [**] TCP connection To DNS server [**]
> 06/27-07:37:50.269171 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
> TCP TTL:42 TOS:0x0 ID:50354
> ****R*** Seq: 0x771BE075   Ack: 0x0   Win: 0x0
> 02 04 05 B4 2F 74                                ..../t
> 
> [**] TCP connection To DNS server [**]
> 06/27-07:37:50.271973 xxx.211.187.254:3501 -> xxx.xxx.125.4:53
> TCP TTL:233 TOS:0x0 ID:33463
> ****R*A* Seq: 0x771BE075   Ack: 0xD4EF228D   Win: 0x800
> 48 54 54 50 2F 31                                HTTP/1
> 
> Sent via Deja.com http://www.deja.com/
> Before you buy.

-- 
Eric A. Hall                                      http://www.ehsco.com/
Internet Core Protocols        http://www.oreilly.com/catalog/coreprot/

More information about the bind-users mailing list