Hi all, Does anybody know good links about dns hijack attack? Need to educate myself about it. Have been attacked. TIA Philipp
Hi all,
Does anybody know good links about dns hijack attack? Need to educate myself about it. Have been attacked.
TIA Philipp
Hi list-users Please forget about my request here above. It's bogus. What kind of traffic is this? Feb 3 18:47:14 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:624 212.232.168.190:53 L=55 S=0x00 I=11152 F=0x0000 T=45 Feb 3 18:47:15 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:625 212.232.168.181:53 L=55 S=0x00 I=11168 F=0x0000 T=45 Feb 3 18:47:18 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:625 212.232.168.181:53 L=55 S=0x00 I=11175 F=0x0000 T=45 Feb 3 18:47:20 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:624 212.232.168.190:53 L=55 S=0x00 I=11187 F=0x0000 T=45 Feb 3 18:47:25 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:625 212.232.168.181:53 L=55 S=0x00 I=11250 F=0x0000 T=45 Feb 3 18:47:25 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:625 212.232.168.181:53 L=55 S=0x00 I=11252 F=0x0000 T=45 Feb 3 18:47:27 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:624 212.232.168.190:53 L=55 S=0x00 I=11257 F=0x0000 T=45 Feb 3 18:47:30 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:624 212.232.168.190:53 L=55 S=0x00 I=11275 F=0x0000 T=45 Feb 3 18:47:34 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:624 212.232.168.190:53 L=55 S=0x00 I=11295 F=0x0000 T=45 Feb 3 18:47:34 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:625 212.232.168.181:53 L=55 S=0x00 I=11296 F=0x0000 T=45 Thank you Philipp
Hi list-users
Please forget about my request here above. It's bogus. What kind of traffic is this?
Feb 3 18:47:14 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:624 212.232.168.190:53 L=55 S=0x00 I=11152 F=0x0000 T=45
protocol (/etc/protocols) 17 is UDP. Length=55 bytes TTL=45 (from probably 64) Source port is 625 Destination port is 53. Now I just wonder why you filter these packets. Those appear to be regular dns queries, destined for 212.232.168.181 (your address? PS14613-RIPE).
Feb 3 18:47:15 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:625 212.232.168.181:53 L=55 S=0x00 I=11168 F=0x0000 T=45 [snip]
Roman.
--
- -
| Roman Drahtmüller
Roman,
Feb 3 18:47:14 bridge kernel: Packet log: b1 DENY eth1 PROTO=17 212.114.64.130:624 212.232.168.190:53 L=55 S=0x00 I=11152 F=0x0000 T=45
protocol (/etc/protocols) 17 is UDP. Length=55 bytes TTL=45 (from probably 64) Source port is 625 Destination port is 53.
I was worried because of --sport and I field. I field shows normal dns queries (a scan has a much wider range of I field numbers), while --sport is unusual low for server or client dns queries. And so I wasn't sure what queries these would be. A dns probe? Simply, it was the first time I saw a dns server query from :1023 --> 53 udp. Moreover it was/still is trying both dns servers .181 and .190. A reason more to believe it could be a dns probe. But now I read Boris Lorenz' (Lanswehr & Partner, Nürenberg) answer and it seems that everything is ok.
Now I just wonder why you filter these packets.
Because the --sport is too low. Normally clients and servers query from 1024: --> 53 udp. This is 99% of all cases. for 1% I will not open the 1:1023 ports.
Those appear to be regular dns queries, destined for 212.232.168.181 (your address? PS14613-RIPE).
Yes, it is. Philipp
Now I just wonder why you filter these packets.
Because the --sport is too low. Normally clients and servers query from 1024: --> 53 udp. This is 99% of all cases. for 1% I will not open the 1:1023 ports.
Those appear to be regular dns queries, destined for 212.232.168.181 (your address? PS14613-RIPE).
Locking the source port is quite commonly used as a way to minimise rules in a firewall. (ie. You have a DNS server that had to query OUT through a firewall, and you set BIND to always query with a fixed source port. (Source ports are should not be used in rules for inbound connections due to their arbitary nature, but in this case as they are outbound connections it's quite common.) Cheers --- Nix - nix@susesecurity.com http://www.susesecurity.com
Now I just wonder why you filter these packets.
Because the --sport is too low. Normally clients and servers query from 1024: --> 53 udp. This is 99% of all cases. for 1% I will not open the 1:1023 ports.
Ok, this is of course a reason. I am not aware on how other non-unix operating systems use their ports (never used filters made for the privileged port range), 1% is a nice figure to know, though.
Philipp
Thanks for the information,
Roman.
--
- -
| Roman Drahtmüller
participants (3)
-
Nix
-
Philipp Snizek
-
Roman Drahtmueller