Greetings, After tracking down what I believed was an attempted DOS attack, it turns out that two Windows 2000 servers, fully updated, were spewing out hundreds of port 53 requests. Upon further investigation dns.exe was hogging 99% of the CPU. I haven't found any reference to this at CERT so I thought I would drop the occurrence into the nanog funnel to see what comes out. The attack started around 8AM MST. Thank you for your consideration. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DNS.exe is the executable for Microsoft DNS. This is either some kind of bug or a function of active directory w/in Windows 2000. regards, Ken Budd Data Systems Engineer 702 Communications Moorhead, MN 56560 phone: 218.284.5702 Fax: 218.284.5746 - -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Christopher J. Wolff Sent: Monday, September 08, 2003 3:10 PM To: nanog@merit.edu Subject: dns.exe virus? Greetings, After tracking down what I believed was an attempted DOS attack, it turns out that two Windows 2000 servers, fully updated, were spewing out hundreds of port 53 requests. Upon further investigation dns.exe was hogging 99% of the CPU. I haven't found any reference to this at CERT so I thought I would drop the occurrence into the nanog funnel to see what comes out. The attack started around 8AM MST. Thank you for your consideration. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBP1zn/P1D1N+hTR4dEQKKtQCdFf62eWGDU2FvUqkFpedVX2OZigwAoL/g i2RL2Zg2yOlfmihA8nlWhgnx =0L78 -----END PGP SIGNATURE-----
I have seen MS DNS go into some kind of resolving loop madness where for some reason it continually tries lookups.. in the cases when I've seen it, it has been a customer server which seemed to loop on some lame delegations - I noticed it as the queries on the lames loaded our dns caches! Steve On Mon, 8 Sep 2003, Ken Budd wrote:
DNS.exe is the executable for Microsoft DNS. This is either some kind of bug or a function of active directory w/in Windows 2000.
regards,
Ken Budd Data Systems Engineer 702 Communications Moorhead, MN 56560 phone: 218.284.5702 Fax: 218.284.5746
- -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Christopher J. Wolff Sent: Monday, September 08, 2003 3:10 PM To: nanog@merit.edu Subject: dns.exe virus?
Greetings,
After tracking down what I believed was an attempted DOS attack, it turns out that two Windows 2000 servers, fully updated, were spewing out hundreds of port 53 requests. Upon further investigation dns.exe was hogging 99% of the CPU.
I haven't found any reference to this at CERT so I thought I would drop the occurrence into the nanog funnel to see what comes out. The attack started around 8AM MST. Thank you for your consideration.
Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
-----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2
iQA/AwUBP1zn/P1D1N+hTR4dEQKKtQCdFf62eWGDU2FvUqkFpedVX2OZigwAoL/g i2RL2Zg2yOlfmihA8nlWhgnx =0L78 -----END PGP SIGNATURE-----
Christopher J. Wolff wrote:
After tracking down what I believed was an attempted DOS attack, it turns out that two Windows 2000 servers, fully updated, were spewing out hundreds of port 53 requests. Upon further investigation dns.exe was hogging 99% of the CPU.
I haven't found any reference to this at CERT so I thought I would drop the occurrence into the nanog funnel to see what comes out. The attack started around 8AM MST. Thank you for your consideration.
I wonder if this is the tool used to attack Spamhaus, SPEWS and SORBS. Do you know what the requests were for?
Chris, It was really odd. Here is an example of what the two hosts .3 and .4 were up to. 10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 216.74.14.155:53 216.74.14.155:53 10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53 10.11.0.3:4554 166.90.208.166:53 166.90.208.166:53 10.11.0.4:1420 192.35.51.30:53 192.35.51.30:53 10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53 10.11.0.3:4554 64.24.79.2:53 64.24.79.2:53 10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53 10.11.0.3:4554 64.24.79.5:53 64.24.79.5:53 10.11.0.3:4554 192.48.79.30:53 192.48.79.30:53 10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53 10.11.0.3:4554 63.240.15.245:53 63.240.15.245:53 10.11.0.4:1420 192.36.148.17:53 192.36.148.17:53 10.11.0.4:1420 192.26.92.30:53 192.26.92.30:53 10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53 10.11.0.3:4554 192.31.80.30:53 192.31.80.30:53 10.11.0.3:4554 213.161.66.159:53 213.161.66.159:53 10.11.0.4:1420 65.102.83.43:53 65.102.83.43:53 10.11.0.3:4554 216.239.32.10:53 216.239.32.10:53 10.11.0.3:4554 24.221.129.4:53 24.221.129.4:53 10.11.0.3:4554 24.221.129.5:53 24.221.129.5:53 10.11.0.4:1420 192.5.6.30:53 192.5.6.30:53 10.11.0.3:4554 128.121.26.10:53 128.121.26.10:53 10.11.0.3:4554 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 65.102.83.43:53 65.102.83.43:53 10.11.0.4:1420 24.221.129.4:53 24.221.129.4:53 10.11.0.4:1420 24.221.129.5:53 24.221.129.5:53 10.11.0.3:4554 63.210.142.26:53 63.210.142.26:53 10.11.0.4:1420 192.41.162.30:53 192.41.162.30:53 10.11.0.4:1420 192.52.178.30:53 192.52.178.30:53 10.11.0.3:4554 192.5.6.30:53 192.5.6.30:53 10.11.0.3:4554 63.215.198.78:53 63.215.198.78:53 10.11.0.4:1420 64.215.170.28:53 64.215.170.28:53 10.11.0.3:4554 216.239.38.10:53 216.239.38.10:53 10.11.0.4:1420 192.55.83.30:53 192.55.83.30:53 10.11.0.3:4554 64.24.79.3:53 64.24.79.3:53 10.11.0.3:4554 205.166.226.38:53 205.166.226.38:53 10.11.0.4:1420 192.43.172.30:53 192.43.172.30:53 10.11.0.3:4554 63.240.144.98:53 63.240.144.98:53 Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Chris Lewis Sent: Monday, September 08, 2003 1:52 PM Cc: nanog@merit.edu Subject: Re: dns.exe virus? Christopher J. Wolff wrote:
After tracking down what I believed was an attempted DOS attack, it turns out that two Windows 2000 servers, fully updated, were spewing out hundreds of port 53 requests. Upon further investigation dns.exe was hogging 99% of the CPU.
I haven't found any reference to this at CERT so I thought I would drop the occurrence into the nanog funnel to see what comes out. The attack started around 8AM MST. Thank you for your consideration.
I wonder if this is the tool used to attack Spamhaus, SPEWS and SORBS. Do you know what the requests were for?
Christopher J. Wolff wrote:
Chris,
It was really odd. Here is an example of what the two hosts .3 and .4 were up to.
For grins, I ran that through our blacklist tool to see what it coughed up. Nothing was on our blacklists. Had rDNS's like *.google.com, *.akamai.com, sprintbbsd, ns2.granitecanyon.com, DNS root servers and a few non-resolving IPs. DNS resolution loop perchance?
Christopher J. Wolff wrote:
Chris,
It was really odd. Here is an example of what the two hosts .3 and .4 were up to.
For grins, I ran that through our blacklist tool to see what it coughed up.
Nothing was on our blacklists.
Had rDNS's like *.google.com, *.akamai.com, sprintbbsd, ns2.granitecanyon.com, DNS root servers and a few non-resolving IPs.
DNS resolution loop perchance?
From here, they all show up in the logs attemptin dynamic updates of the in-addr.arpa domain. :) Time to suck pkts... although I 'spect they are trying to perform stupid DNS tricks like: floss.local.in-addr.arpa. A 10.10.10.10 --bill
FYI, I put the suspect file up at http://www.bblabs.com/dns.exe Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of bmanning@karoshi.com Sent: Monday, September 08, 2003 2:37 PM To: Chris Lewis Cc: nanog@merit.edu Subject: Re: dns.exe virus?
Christopher J. Wolff wrote:
Chris,
It was really odd. Here is an example of what the two hosts .3 and .4 were up to.
For grins, I ran that through our blacklist tool to see what it coughed up.
Nothing was on our blacklists.
Had rDNS's like *.google.com, *.akamai.com, sprintbbsd, ns2.granitecanyon.com, DNS root servers and a few non-resolving IPs.
DNS resolution loop perchance?
From here, they all show up in the logs attemptin dynamic updates of the in-addr.arpa domain. :) Time to suck pkts... although I 'spect they are trying to perform stupid DNS tricks like: floss.local.in-addr.arpa. A 10.10.10.10 --bill
On Mon, 8 Sep 2003 13:52:41 -0700 "Christopher J. Wolff" <chris@bblabs.com> wrote: | Here is an example of what the two hosts .3 and .4 were up to. {snipped} The list of hosts they were accessing is ... well, interesting! 24.221.129.4 aztutmux01.az.sprintbbd.net 24.221.129.5 aztutmns01.az.sprintbbd.net 63.210.142.26 unknown.Level3.net 63.215.198.78 unknown.Level3.net 63.240.144.98 a63.240.144.98.deploy.akamaitechnologies.com 63.240.15.245 [CERFnet] 64.215.170.28 [Akamai Technologies/Dallas] 64.24.79.2 [StarNet] 64.24.79.3 [StarNet] 64.24.79.5 [StarNet] 65.102.83.43 ns2.granitecanyon.com 128.121.26.10 [Verio] 166.90.208.166 a166-90-208-166.deploy.akamaitechnologies.com 192.26.92.30 c.gtld-servers.net 192.31.80.30 d.gtld-servers.net 192.35.51.30 f.gtld-servers.net 192.36.148.17 i.root-servers.net 192.41.162.30 l.gtld-servers.net 192.43.172.30 i.gtld-servers.net 192.48.79.30 j.gtld-servers.net 192.5.6.30 a.gtld-servers.net 192.52.178.30 k.gtld-servers.net 192.55.83.30 m.gtld-servers.net 205.166.226.38 ns1.granitecanyon.com 213.161.66.159 213-161-66-159.akamai.com 216.239.32.10 ns1.google.com 216.239.38.10 ns4.google.com 216.74.14.155 [XO] (Where no rDNS existed, the Netblock owner is shown in []) -- Richard Cox %% HELO - the first word of every Email transaction - is in Welsh! %%
participants (6)
-
bmanning@karoshi.com -
Chris Lewis -
Christopher J. Wolff -
Ken Budd -
Richard Cox -
Stephen J. Wilcox