Sign in to follow this  
Guest

Hi, Who is good at DNS Attack Investigating?

Recommended Posts

IP Address is 145.112.50.65And no it is not an IP Address from my ISP Providor. They all begin with 24. :-)Hello,Well, I have been doing some research today after being the recipient of a targeted DNS ICMP Unreachable Attack. First off, here is the evidence I have accumulated. I use ZoneAlarm, and either this person is an IDIOT, or very smart. I have not decided yet. The first one was way back on:07-31-2001Here are the dates:07-31-200112-01-200102-13-200204-02-200206-03-2002By the way, the one today pushed me over the proverbial nice guy edge and I decided to act. :-)I have been pretty resilient to these types of things as they occur, but alas, even I get bored with idiots from time to time.Today's attacks were 5 so far with one instance recording 198 Attempts.Here is a copy of my Zonealarm log with the same IP going back almost a year. Yes, I am a saver. :-)*********************************************ZoneAlarm Logging Client v2.6.88Windows 98-4.90.3000- -SPtype,date,time,source,destination,transportFWIN,2001/07/31,14:19:50 -5:00 GMT,149.112.50.65:0,24.182.138.242:0,ICMP (type:3/subtype:1)FWIN,2001/07/31,22:36:16 -5:00 GMT,149.112.50.65:0,24.182.138.242:0,ICMP (type:3/subtype:1)FWROUTE,2001/12/01,11:22:48 -6:00 GMT,149.112.50.82:0,149.112.50.65:0,ICMP (type:8/subtype:0)FWOUT,2001/12/01,12:13:55 -6:00 GMT,149.112.50.98:68,149.112.50.65:67,UDPFWROUTE,2001/12/01,14:07:45 -6:00 GMT,149.112.50.65:67,149.112.50.66:68,UDPFWOUT,2001/12/01,20:17:00 -6:00 GMT,149.112.50.66:67,149.112.50.65:68,UDPFWOUT,2001/12/01,20:56:49 -6:00 GMT,149.112.50.82:67,149.112.50.65:68,UDPFWOUT,2001/12/01,21:32:23 -6:00 GMT,149.112.50.66:68,149.112.50.65:67,UDPFWIN,2002/02/13,17:06:57 -6:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWIN,2002/04/02,20:11:00 -6:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWIN,2002/06/03,15:34:28 -5:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWIN,2002/06/03,16:13:03 -5:00 GMT,149.112.50.65:0,149.112.50.66:0,ICMP (type:3/subtype:1)FWIN,2002/06/03,17:09:08 -5:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWIN,2002/06/03,17:10:03 -5:00 GMT,149.112.50.65:0,12.251.34.247:0,ICMP (type:3/subtype:1)FWOUT,2002/06/03,17:13:10 -5:00 GMT,12.251.34.247:0,149.112.50.65:0,ICMP type:8/subtype:0)FWIN,2002/06/03,19:34:04 -5:00 GMT,149.112.50.65:0,149.112.50.66:0,ICMP (type:3/subtype:1)I have some others but this is the most often used one. There are others such as 149.112.50.82,65, etc....Here are some pics of the evidence, and then my question.Pic 1 shows the DNS Search.. Maybe this person was using their work computer at 3 Com... You Think...?http://home.attbi.com/~sonar5/1.jpg.Pic #2 shows 3com addresses, nothing new there.http://home.attbi.com/~sonar5/2.jpg.Pic #3 shows the Trace. Interesting... direct link, no hops. Either this person doesn't care about their job, or they have been using the same fake IP Address for over a year. What do you think?http://home.attbi.com/~sonar5/3.jpg.Pic #4 shows the last attack a short time ago...http://home.attbi.com/~sonar5/5.jpg.Pic #5 shows the Who is on the owner side.http://home.attbi.com/~sonar5/6.jpg.So does anyone have any ideas on this one. I thought I would post here before I do the following.1) Go to my ISP, report it and see what they do. AT&T Broadband Internet2) 3com's security department, maybe it is an employee. See Ya, if it is.3) Or my firms security department since I was logged in at the time.4) Nothing, as someone ICMPing me 198 times is normal for a short period of time. Nope, don't think so... :-)Do You recognize this IP Address? 145.112.50.65Do You know someone that frequents these forums and works for 3Com?I am thinking it is either:a) The "Smack" and "Bloop" attacks involves the perpetrator sending ICMP unreachable messages in an attempt to flood and consume the victims CPU resources.or :( click - WinNewk/X This attack involves the perpetrator sending ICMP error (usually ICMP unreachable) messages.Thanks in advance, :-)Joe :-wave******************************Picture Gallery of My Flight in a 1945 SNJ-6 on June 1st, 2002Joliet, Illinoishttp://home.attbi.com/~jranos/FrameSet.htm******************************.http://home.attbi.com/~jranos/mysig.jpg http://avsim.com/hangar/air/bfu/logo70.gif

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

Joe,I used to report stuff like this a lot until I finally decided it was taking up too much of my time and gave up ;) In a case like this I would go with option 2 there and report this to whatever security address you can find for 3com (including your ZA logs of course). If you don't get a useful response from them then I'd report to your own ISP but, in my experience anyway, they're usually much less likely to help out.Beyond that, I'd just permanently ban that IP adress and not worry about it.Clyde

Share this post


Link to post
Share on other sites

Joe,Do you have a 3Com or USRobotics modem?I think I had that same problem before I went to cable.Brent

Share this post


Link to post
Share on other sites

This does not look like attack.This looks like you are blocking out DHCP (from your ISP)which uses udp ports 67:68 to recieve and send information and to renew your ip ect.Iam not a big zone alarm fan because it does not leave alot of room for advanced firewalling from what I have seen.I like to open certain ports to certain ips.I do not beleive you can do that with zone alarm.I think you can with black ice defender.Iam not fimilar with windows firewalls since I would mostly with unix in security I personally would use a linksys router where you can configure a firewall.This was not a DNS attack.You are not running a DNS server so there would be no reason for someone to attack DNS.DNS runs on ports udp 53 and tcp 53 these hits were DHCP 67:68 which is normal for cable modem's The ICMP ping type is echo request to see if you host is alive or not .I would not worry about it one bit.If it was a true attack your logs would be overloaded and you would have probloy been offline :)The ip's coming from 3com is because you are proboly routed through a DHCP server which they may own the ip's to or it's just your cable modem .Although I have a 3 com modem and I have not experinced this.These are the ports to keep a close eye all are TCP for example 1024 and below.These are privlage ports to YOU not the outside.23 telnet22 ssh 21 FTP 20 FTP-data515 sun rcp53 DNS 33137 back orfice tcp and udpICMP pings are bit confusing so i leave those be .If you are getting hit hard on port 1433 it's because there is a bad ms sql worm going around so don't worry.Richard Dillon KATLSr First Officer www.jetstarairlines.com"Bill Grabowski's"ERJ-145 panel Beta TeamMD-11 panel Beta Team____________________________"Lets Roll" 9/11 Specs AMD 1600 XP 512MB DDR GF3 ti 200 64MB SBliveCh Products Yoke and Pedals(usb)Windows 2000 SP2

Share this post


Link to post
Share on other sites

Richard,Thank you very much. I appreciate you responding, and the others as well. I have forwarded the info to them to look at.Your theory sounds both logical and makes a lot of sense. In looking at the ports, that is where they are coming from. They usually come from AT&T IP's though, so that is why my flags went up, along with the infrequency. What got me was the 198 attempts in a short time.Thanks again Richard, I have been edumacated once again . :-)Regards,Joe :-wave******************************Picture Gallery of My Flight in a 1945 SNJ-6 on June 1st, 2002Joliet, Illinoishttp://home.attbi.com/~jranos/FrameSet.htm******************************.http://home.attbi.com/~jranos/mysig.jpg http://avsim.com/hangar/air/bfu/logo70.gif

Share this post


Link to post
Share on other sites

If at&t is your ISP and you have cable modem that would be it.Just remember that all cable modems use DHCP as a form of connection.So if you are getting alot of hit's on your firewall from a AT&T ips on 67:68 (DHCP) it's just because your a sending information in and out.What I would do is find a firewall that is user friendly and will let you configure it how you want .If you can do that with zone alarm allow ONLY the at&t DHCP ip's to use UDP port 67:68 also only allow AT&T DNS numbers to make hits on upd port 53.Become fimilar with AT&T ip's .. atleast for DNS (UDP 53) DHCP(UDP 67:68 )(tcp 25 smtp 110 pop3) Allow AT&T server ip's to hit those ports and block out the rest.Hope this helps you some more :)Richard Dillon KATLSr First Officer www.jetstarairlines.com"Bill Grabowski's"ERJ-145 panel Beta TeamMD-11 panel Beta Team____________________________"Lets Roll" 9/11 Specs AMD 1600 XP 512MB DDR GF3 ti 200 64MB SBliveCh Products Yoke and Pedals(usb)Windows 2000 SP2

Share this post


Link to post
Share on other sites

I get hits similar to the one you describe all the time. I agree with ClydeJ that you could attempt to report such port probes to the sources you cite, but you will get no satisfactory replies and probably no action will be taken to stop them. I gave up doing that long ago. You could try the www.dslreports.com forums, especially the "Security" forum, but most of the forum members there will tell you to just let Zone Alarm do its job of blocking and reporting to you those clowns who are attempting to probe your ports. Looks like you are using Ariswhois as I do also to determine whose services the would-be intruder is using. I also use "Shieldsup" which consistently informs me that, for all purposes, my computer is 100% "stealth," i.e., it doesn't exist. Not much else you can do except put your trust in Zone Alarm and run a virus scan every so often. Good luck. http://home.kscable.com/rfromholz/ady.JPG

Share this post


Link to post
Share on other sites

You might want to take a look at Tiny Personal Firewall, which presents information in a much more useful manner then Zone Alarm. It is not free like Zone Alarm, but it is a totally different product offering in that it really is a firewall product, not just a port stealther ...Ray

Share this post


Link to post
Share on other sites

You can also use something like SneakBy, which will, for $6/month, securely encrypt your surfing. Since I use their service the number of ZA reports has gone down dramatically (of course).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this