Sign in to follow this  
Guest Miro Majcen

Hi, Who is good at DNS Attack Investigating?

Recommended Posts

IP Address is 145.112.50.65And no it is not an IP Address from my ISP Providor. They all begin with 24. :-)Hello,Well, I have been doing some research today after being the recipient of a targeted DNS ICMP Unreachable Attack. First off, here is the evidence I have accumulated. I use ZoneAlarm, and either this person is an IDIOT, or very smart. I have not decided yet. The first one was way back on:07-31-2001Here are the dates:07-31-200112-01-200102-13-200204-02-200206-03-2002By the way, the one today pushed me over the proverbial nice guy edge and I decided to act. :-)I have been pretty resilient to these types of things as they occur, but alas, even I get bored with idiots from time to time.Today's attacks were 5 so far with one instance recording 198 Attempts.Here is a copy of my Zonealarm log with the same IP going back almost a year. Yes, I am a saver. :-)*********************************************ZoneAlarm Logging Client v2.6.88Windows 98-4.90.3000- -SPtype,date,time,source,destination,transportFWIN,2001/07/31,14:19:50 -5:00 GMT,149.112.50.65:0,24.182.138.242:0,ICMP (type:3/subtype:1)FWIN,2001/07/31,22:36:16 -5:00 GMT,149.112.50.65:0,24.182.138.242:0,ICMP (type:3/subtype:1)FWROUTE,2001/12/01,11:22:48 -6:00 GMT,149.112.50.82:0,149.112.50.65:0,ICMP (type:8/subtype:0)FWOUT,2001/12/01,12:13:55 -6:00 GMT,149.112.50.98:68,149.112.50.65:67,UDPFWROUTE,2001/12/01,14:07:45 -6:00 GMT,149.112.50.65:67,149.112.50.66:68,UDPFWOUT,2001/12/01,20:17:00 -6:00 GMT,149.112.50.66:67,149.112.50.65:68,UDPFWOUT,2001/12/01,20:56:49 -6:00 GMT,149.112.50.82:67,149.112.50.65:68,UDPFWOUT,2001/12/01,21:32:23 -6:00 GMT,149.112.50.66:68,149.112.50.65:67,UDPFWIN,2002/02/13,17:06:57 -6:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWIN,2002/04/02,20:11:00 -6:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWIN,2002/06/03,15:34:28 -5:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWIN,2002/06/03,16:13:03 -5:00 GMT,149.112.50.65:0,149.112.50.66:0,ICMP (type:3/subtype:1)FWIN,2002/06/03,17:09:08 -5:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWIN,2002/06/03,17:10:03 -5:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWOUT,2002/06/03,17:13:10 -5:00 GMT,12.251.34.247:0,149.112.50.65:0,ICMP type:8/subtype:0)FWIN,2002/06/03,19:34:04 -5:00 GMT,149.112.50.65:0,149.112.50.66:0,ICMP (type:3/subtype:1)I have some others but this is the most often used one. There are others such as 149.112.50.82,65, etc....Here are some pics of the evidence, and then my question.Pic 1 shows the DNS Search.. Maybe this person was using their work computer at 3 Com... You Think...?http://home.attbi.com/~sonar5/1.jpg.Pic #2 shows 3com addresses, nothing new there.http://home.attbi.com/~sonar5/2.jpg.Pic #3 shows the Trace. Interesting... direct link, no hops. Either this person doesn't care about their job, or they have been using the same fake IP Address for over a year. What do you think?http://home.attbi.com/~sonar5/3.jpg.Pic #4 shows the last attack a short time ago...http://home.attbi.com/~sonar5/5.jpg.Pic #5 shows the Who is on the owner side.http://home.attbi.com/~sonar5/6.jpg.So does anyone have any ideas on this one. I thought I would post here before I do the following.1) Go to my ISP, report it and see what they do. AT&T Broadband Internet2) 3com's security department, maybe it is an employee. See Ya, if it is.3) Or my firms security department since I was logged in at the time.4) Nothing, as someone ICMPing me 198 times is normal for a short period of time. Nope, don't think so... :-)Do You recognize this IP Address? 145.112.50.65Do You know someone that frequents these forums and works for 3Com?I am thinking it is either:a) The "Smack" and "Bloop" attacks involves the perpetrator sending ICMP unreachable messages in an attempt to flood and consume the victims CPU resources.or :( click - WinNewk/X This attack involves the perpetrator sending ICMP error (usually ICMP unreachable) messages.Thanks in advance, :-)Joe :-wave******************************Picture Gallery of My Flight in a 1945 SNJ-6 on June 1st, 2002Joliet, Illinoishttp://home.attbi.com/~jranos/FrameSet.htm******************************.http://home.attbi.com/~jranos/mysig.jpg http://avsim.com/hangar/air/bfu/logo70.gif

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

If the attacks continue from this source address, then I would definately contact 3Com. It is possible that someone is either:1: Spoofing the ip address and actually coming from a different address.2: Actually at a workstation on the network being an idiot or is infected with some sort of worm or trojan.Either way, I think it would warrant a note to 3Com. The worst they can do is ignore you.Regards,Mikehttp://www.avsim.com/vaworld/mikep/smallsig.jpg

Share this post


Link to post
Share on other sites

Joe,As I mentioned in the MSFS forum, I had a similar problem after installing a 3Com US Robotics modem. When I upgraded to WinXP the problem stopped, also I went cable.It may have been a file that was installed when I setup the drivers. It sounds strange, but it is a possibility the "trojan" may be in the 3Com software.Brent

Share this post


Link to post
Share on other sites

Joe, the most I can help you with is I can let you know that there is no one in the forums with that ip. In fact, no one even using 145.112.*.*Sounds like Brent has an idea worth checking into. I'd hate to think 3com would have some reason to be pinging your system, as I have a 3com modem also, but it would be a good first place to start along with an email to 3com. I would just keep it respectful and tactful as it could be someone spoofing their ip like someone mentioned.

Share this post


Link to post
Share on other sites

Thanks folks,I have forwarded the info to 3com and AT&T, so we'll see if I hear anything back. Thanks for the input. :-)Regards,Joe******************************Picture Gallery of My Flight in a 1945 SNJ-6 on June 1st, 2002Joliet, Illinoishttp://home.attbi.com/~jranos/FrameSet.htm******************************.http://home.attbi.com/~jranos/mysig.jpg http://avsim.com/hangar/air/bfu/logo70.gif

Share this post


Link to post
Share on other sites

What you got was simply a ping (ICMP packets mean that) I'd say somebody was pinging the whole IP subnet range where you are. If this isn't happening all the time i wouldn't worry about that too much. Take a look at http://www.iana.org/assignments/port-numbers to see the most used ports list. This will help solve the mistery of UDP 67 and 68. Best regards, Miro MajcenAVSIM OnlineManaging Editor Europewww.avsim.com

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this