ICMP Echo Request (ping) automagically preceeding or following DNS reply -- Security Problem?

ICMP Echo Request (ping) automagically preceeding or following DNS reply -- Security Problem?

Post by Jon R. Kible » Thu, 09 Dec 1999 04:00:00



I originally posted this question to comp.protocols.tcp-ip, but no one there seems to know the answer. I had one person email me the suggestion that I should post this problem here. So here goes...

When reviewing our security logs, I recently started noticing a bunch of 'pings' to our firewall from unfamiliar systems. When I started to investigate the problem, I found that they were somehow associated with a response to a DNS request. Worse, instead of the standard 64 byte echo request packet, they were all sending 1500 byte packets. For example, consider the following (hostnames have been changed; _out is an outgoing packet, _in is an incoming packet):























and





(I have complete packet dumps if that is needed to help explain the problem... just didn't want to post them here.)

Add to this, a review of old logs indicate that DNS requests to the sites have been made in the past without the associated ICMP packet 'attachments.' Finally, once 'the problem' starts, it seems to keep it up forever. This started about two weeks ago and seems to be spreading.

Anyone have any idea what is going on here? Is this a sign a site has been hacked, a sign that an upgrade to named or bind has a problem, or...??? Also, why would someone send such a large ping packet (or do some pings always send large packets)?

Should this be considered a security issue?

TIA for your help!

Jon R. Kibler
Systems Architect
Advanced Systems Engineering Technology, Inc.
Mt. Pleasant, SC (Charleston)  USA

 
 
 

ICMP Echo Request (ping) automagically preceeding or following DNS reply -- Security Problem?

Post by Barry Margoli » Thu, 09 Dec 1999 04:00:00




Quote:>I originally posted this question to comp.protocols.tcp-ip, but no one
>there seems to know the answer. I had one person email me the suggestion
>that I should post this problem here. So here goes...

I thought I saw an answer there.

Quote:>When reviewing our security logs, I recently started noticing a bunch of
>'pings' to our firewall from unfamiliar systems. When I started to
>investigate the problem, I found that they were somehow associated with a
>response to a DNS request. Worse, instead of the standard 64 byte echo
>request packet, they were all sending 1500 byte packets. For example,
>consider the following (hostnames have been changed; _out is an outgoing
>packet, _in is an incoming packet):

These are most likely DNS servers that try to select the web server that
will give the client the best response time.  There are a number of
products like this on the market, such as Cisco Distributed Director, and
they use various ways of trying to determine which server is "closest" to
the client.  Local Directory can use ping or attempt DNS connections (since
the query is most likely coming from the client's caching DNS server, not
the client itself, so the DNS port should be open to it), and I remember a
thread a few months ago here where someone found out that connections to
their Echo port were from a device like this.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

ICMP Echo Request (ping) automagically preceeding or following DNS reply -- Security Problem?

Post by Brian Hamps » Sat, 11 Dec 1999 04:00:00


: >When reviewing our security logs, I recently started noticing a bunch of
: >'pings' to our firewall from unfamiliar systems. When I started to
: >investigate the problem, I found that they were somehow associated with a
: >response to a DNS request. Worse, instead of the standard 64 byte echo
: >request packet, they were all sending 1500 byte packets. For example,
: >consider the following (hostnames have been changed; _out is an outgoing
: >packet, _in is an incoming packet):
:
: These are most likely DNS servers that try to select the web server that
: will give the client the best response time.  There are a number of
: products like this on the market, such as Cisco Distributed Director, and
: they use various ways of trying to determine which server is "closest" to
: the client.  Local Directory can use ping or attempt DNS connections (since
: the query is most likely coming from the client's caching DNS server, not
: the client itself, so the DNS port should be open to it), and I remember a
: thread a few months ago here where someone found out that connections to
: their Echo port were from a device like this.

Hey...that was me :)

Might it also be PATH MTU discovery?  Hence the 1500 bytes?

B.
--

   Brian P. Hampson                  ASL Analytical Service Laboratories Ltd
   System Administrator,             Vancouver, BC (604)253-4188
      ----------------- http://www.ASL.CA/ ----------------------------  

I'm not speaking for the company <- They made me say that.

 
 
 

ICMP Echo Request (ping) automagically preceeding or following DNS reply -- Security Problem?

Post by Barry Margoli » Sat, 11 Dec 1999 04:00:00




>: >When reviewing our security logs, I recently started noticing a bunch of
>: >'pings' to our firewall from unfamiliar systems. When I started to
>: >investigate the problem, I found that they were somehow associated with a
>: >response to a DNS request. Worse, instead of the standard 64 byte echo
>: >request packet, they were all sending 1500 byte packets. For example,
>: >consider the following (hostnames have been changed; _out is an outgoing
>: >packet, _in is an incoming packet):
>:
>: These are most likely DNS servers that try to select the web server that
>: will give the client the best response time.  There are a number of
>: products like this on the market, such as Cisco Distributed Director, and
>: they use various ways of trying to determine which server is "closest" to
>: the client.  Local Directory can use ping or attempt DNS connections (since
>: the query is most likely coming from the client's caching DNS server, not
>: the client itself, so the DNS port should be open to it), and I remember a
>: thread a few months ago here where someone found out that connections to
>: their Echo port were from a device like this.

>Hey...that was me :)

>Might it also be PATH MTU discovery?  Hence the 1500 bytes?

No, Path MTU Discovery doesn't involve pings.  The sender sets the "Don't
fragment" flag in the header of the packets of the actual data transfer.  A
router along the way sends back ICMP error packets, but they should only
contain the header of the packet that caused the failure, not all 1500
bytes.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.