Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > Unknown DNS packets

Reply
Thread Tools Display Modes

Unknown DNS packets

 
 
Gianni Bragante
Guest
Posts: n/a

 
      01-09-2004, 09:05 PM
Sometimes I find my iptables based firewall discards a large number of DNS
packet directed to the IP address of our mail server. This occurs several
times per day.
Sources are different IP addresses, each having at the same time the same
idea to query a non existent DNS. Anybody could explain that?
Does this happens to anybody else? Is this an attempted exploit of
something? Of what?

Please anybody helps me shed some light

Thanks
Gianni Bragante

2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=212.162.1.194
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP
SPT=57096 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=195.50.97.130
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP
SPT=53491 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.37.246.2
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=48 ID=12672 PROTO=UDP
SPT=43472 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=65.169.170.131
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP
SPT=60999 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.41.192.103
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=49 ID=45031 PROTO=UDP
SPT=49915 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=63.166.13.66
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=41 ID=0 DF PROTO=UDP
SPT=50147 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.14.117.10
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=50 ID=24604 PROTO=UDP
SPT=12503 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.15.251.198
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=49 ID=42296 PROTO=UDP
SPT=22051 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=63.210.193.2
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP
SPT=41291 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=205.158.108.194
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=47 ID=48750 PROTO=UDP
SPT=25094 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=208.185.54.14
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=47 ID=54099 PROTO=UDP
SPT=7972 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.0.96.12
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=48 ID=46390 PROTO=UDP
SPT=40694 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=202.160.241.130
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=46 ID=29169 PROTO=UDP
SPT=39844 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=210.224.186.4
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP
SPT=22829 DPT=53 LEN=52
2004-01-09 21:15:34 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=208.185.219.166
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP
SPT=61954 DPT=53 LEN=52

2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=212.162.1.194
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP
SPT=57096 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=195.50.97.130
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP
SPT=53491 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.37.246.2
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=48 ID=16807 PROTO=UDP
SPT=43472 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=65.169.170.131
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP
SPT=60999 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.41.192.103
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=49 ID=52668 PROTO=UDP
SPT=49915 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=63.166.13.66
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=41 ID=0 DF PROTO=UDP
SPT=50147 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.14.117.10
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=50 ID=38141 PROTO=UDP
SPT=12503 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.15.251.198
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=49 ID=52304 PROTO=UDP
SPT=22051 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=63.210.193.2
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP
SPT=41291 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=205.158.108.194
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=47 ID=58321 PROTO=UDP
SPT=25094 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=208.185.54.14
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=47 ID=63934 PROTO=UDP
SPT=7972 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=221.111.1.4
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=UDP
SPT=46091 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=202.160.241.130
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=46 ID=40974 PROTO=UDP
SPT=39844 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=210.224.186.4
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP
SPT=22829 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=64.0.96.12
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=48 ID=59686 PROTO=UDP
SPT=40694 DPT=53 LEN=52
2004-01-09 21:15:44 Kernel.Info [Firewal-IP] kernel: iptables-drop IN=eth1
OUT= MAC=00:01:02:da:e6:6a:00:0c:ce:6d:25:e1:08:00 SRC=208.185.219.166
DST=[MailServer-IP] LEN=72 TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP
SPT=61954 DPT=53 LEN=52
 
Reply With Quote
 
 
 
 
Patrick Cohan
Guest
Posts: n/a

 
      01-09-2004, 09:44 PM
I ran the IP's through ARIN and RIPE, some are american based, and some are
in London England.

It could be somebody trying to find security holes, find a spammer machine,
or to relay through.

Keep your dns as read only.


"Gianni Bragante" <(E-Mail Removed)> wrote in message
news:0BFLb.66072$(E-Mail Removed)...
> Sometimes I find my iptables based firewall discards a large number of DNS
> packet directed to the IP address of our mail server. This occurs several
> times per day.
> Sources are different IP addresses, each having at the same time the same
> idea to query a non existent DNS. Anybody could explain that?
> Does this happens to anybody else? Is this an attempted exploit of
> something? Of what?
>
> Please anybody helps me shed some light
>
> Thanks
> Gianni Bragante
>
 
Reply With Quote
Reply

« ???Link Loadbalancing on Linux any howtos? | iptables; allowing external web access to 192.168.0.1; how? »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unknown MAC address Alberto Windows Networking 5 08-25-2009 02:37 PM
Newbie wants to look at other people's packets (promiscuous mode fails to capture packets) George D. Wireless Internet 1 07-14-2007 07:09 AM
Packets Received Unknown Rick Windows Networking 3 08-23-2006 04:36 PM
unknown password mdhyman Wireless Networks 1 02-11-2006 05:46 PM
Unknown Network Jerome Broadband Hardware 3 06-10-2004 04:16 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11