Bogus routes to host

John Drummond bind at omar.org
Wed Mar 1 18:09:49 UTC 2000 

I think someone is polluting the DNS system.  I keep getting all these
packets from real hosts, too -- but they're all stamped with the same 
ethernet address. . .  I've already written CERT once.  

Anyone out there know whomelse should be contacted about this? 

Here's the packet output for one of them:

03/01-12:55:52.230000 0:C0:7B:70:9D:1B -> 0:40:F6:B4:4:ED type:0x800 len:0xBE
216.164.126.101:53 -> 208.141.79.2:53 UDP TTL:56 TOS:0x0 ID:37769
Len: 156
DE 2B 81 80 00 01 00 02 00 02 00 02 03 77 77 77  .+...........www
08 78 78 78 63 68 61 72 74 03 63 6F 6D 00 00 01  .xxxchart.com...
00 01 C0 0C 00 05 00 01 00 01 51 80 00 12 02 70  ..........Q....p
69 09 6E 65 74 68 65 72 77 65 62 03 63 6F 6D 00  i.netherweb.com.
C0 2E 00 01 00 01 00 00 90 AB 00 04 D8 A4 7E 64  ..............~d
C0 31 00 02 00 01 00 00 90 40 00 06 03 4E 53 31  .1....... at ...NS1
C0 31 C0 31 00 02 00 01 00 00 90 40 00 06 03 4E  .1.1....... at ...N
53 32 C0 31 C0 5C 00 01 00 01 00 01 8E A5 00 04  S2.1.\..........
CD FC EC 01 C0 6E 00 01 00 01 00 00 90 40 00 04  .....n....... at ..
D8 A4 7E 65

Others have contained other X-rated sounding domain names.  All have
originated from 0:C0:7B:70:9D:1B.

This seems to be a reasonably widespread problem.

-JD

At 3/1/00 10:14:00 AM, you wrote:
>Got the same thing yesterday:
>
>Feb 29 03:23:48 named[14156]: stream_getlen([64.239.0.0].0): No route to host
>Feb 29 03:23:51 named[14156]: stream_getlen([24.240.185.2].5120): No route 
>to host
>Feb 29 03:24:33 named[14156]: stream_getlen([24.240.185.2].5120): No route 
>to host
>Feb 29 09:47:46 named[14156]: stream_getlen([0.119.223.0].0): No route to host
>Feb 29 09:47:49 named[14156]: stream_getlen([24.240.185.2].5120): No route 
>to host
>Feb 29 09:48:31 named[14156]: stream_getlen([24.240.185.2].5120): No route 
>to host
>Feb 29 12:58:10 named[14156]: stream_getlen([64.239.0.0].0): No route to host
>Feb 29 12:58:14 named[14156]: stream_getlen([24.240.185.2].5120): No route 
>to host
>Feb 29 13:02:04 named[14156]: stream_getlen([24.240.185.2].5120): 
>Connection timed out
>Feb 29 17:20:52 named[14156]: stream_getlen([9.0.0.0].4096): No route to host
>Feb 29 17:21:25 named[14156]: stream_getlen([24.240.185.2].5120): No route 
>to host
>Feb 29 17:21:37 named[14156]: stream_getlen([48.85.188.56].1538): No route 
>to host
>
>I can't back-resolve either the IPs or the nets. They seem bogus to me.
>
>Luigi
>
>At 09:15 03/01/2000 , John Drummond wrote:
>--- Begin Original Message ---
>
>>I have been getting this error many, many times a day:
>>
>>Mar  1 09:56:08 ns named[13369]: stream_getlen([138.47.189.56].5440): No 
>>route to host
>>
>>Each time there is a different IP addressm some of which are wierd (ie, 
>>5.0.0.2).
>>
>>I just upgraded to the latest release thinking it may be a security 
>>issue.  I am still
>>recieving the message.
>>
>>Searching the mailing list archives revealed several questions about this, 
>>but no
>>response.  Could someone with experience with this issue please enlighten me?
>>
>>Thanks so much,
>>-John Drummond
>>
>--- End Original Message ---
>--SIG--------------------------------------------------------
><A HREF="http://www.focalpoint.com/">Home Page</A>
>and i said Hey! Give me that pen!  laurie anderson
>Luigi P. Bai                             Focal Point Software, Inc.
>lpb at focalpoint.com                 1225 N. Loop 610 W., Suite 214
>turning data into information      Houston, TX   77008-1757
>                                               (713) 215-1612
>
>
>
>

More information about the bind-users mailing list