PDA

View Full Version : Port Scan from Virgin DNS Server


l_doddrell
04-01-2010, 11:23
I have the following IPS alert from my Cisco box:

No.001 Dec 27 22:34:51 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.002 Dec 27 22:34:51 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.003 Dec 27 22:34:52 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.004 Dec 27 22:34:53 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.005 Dec 27 22:34:54 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.006 Dec 27 22:34:55 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.007 Dec 27 22:34:55 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.008 Dec 27 22:34:57 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.009 Dec 27 22:34:57 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.010 Dec 27 22:34:58 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.011 Dec 27 22:34:58 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.012 Dec 27 22:35:00 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.013 Dec 27 22:35:03 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.014 Dec 27 22:35:04 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.015 Dec 27 22:39:56 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.016 Dec 27 22:39:56 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.017 Dec 27 22:39:59 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.018 Dec 27 22:39:59 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.019 Dec 27 22:40:00 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.020 Dec 27 22:40:01 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)

Anyone ever heard of Virgin doing this?

Raistlin
04-01-2010, 11:27
How are you sure it's a port scan?

There are no port numbers listed there, if it is a port scan then I'd expect to see that same IP address sending packets to multiple ports on your IP.

Jon T
04-01-2010, 13:06
BTW, 194.168.4.100(and 194.168.8.100) are the Virgin DNS cluster addresses.

l_doddrell
04-01-2010, 13:50
I know. Whch is why I'm considering sending them a letter asking for an explanation.

As for which ports, I cannot tell. The log does not provide such data. Ultimately, it's not illegal, but I do think it's suspicious.

token
04-01-2010, 13:57
It's probably DNS traffic, given that it appears to be only UDP and taking into account the source. Possibly a broken NAT on your end?

You need to capture the packets before anyone will take it even half seriously.

Raistlin
04-01-2010, 14:04
Good luck getting an answer to your letter, this behaviour is most likely either a) your IPS mis-interpreting legitimate behaviour of the DNS system, or b) something borked within your network which is causing legitimate DNS traffic to be misinterpreted, or c) some form of unintentional malformation in the DNS data packets originating from that server which is confusing your IPS, or d) the originating IP address (the DNS server) is being spoofed and the scans are actually not scans at all, but some form of (rather lame) DDOS against your IP, or e) the packets that appear to be coming from the originating IP address (the DNS server) is being spoofed to generate excess entries in your IPS/IDS/Firewall logs in order to hide other activity/scanning/hacking attempts.

Unless you can get more information from your logs and then, by combining that with other sources of information about the activity across your network, work out exactly what that traffic is you can't really be sure exactly what's going on.

If you approach Virgin complaining that you're getting UDP based traffic from one of their DNS servers targetted at your public IP address I suspect that they will most likely just ignore you - if you expect them to actually do anything about it you really need a lot more information.

My suggestion? Unless it's actually causing you a problem just adjust your network defences to compensate and then move on. If you can't, or won't, do that then you're going to need to do a lot more investigation and work to resolve this one.

webcrawler2050
04-01-2010, 14:58
Good luck getting an answer to your letter, this behaviour is most likely either a) your IPS mis-interpreting legitimate behaviour of the DNS system, or b) something borked within your network which is causing legitimate DNS traffic to be misinterpreted, or c) some form of unintentional malformation in the DNS data packets originating from that server which is confusing your IPS, or d) the originating IP address (the DNS server) is being spoofed and the scans are actually not scans at all, but some form of (rather lame) DDOS against your IP, or e) the packets that appear to be coming from the originating IP address (the DNS server) is being spoofed to generate excess entries in your IPS/IDS/Firewall logs in order to hide other activity/scanning/hacking attempts.

Unless you can get more information from your logs and then, by combining that with other sources of information about the activity across your network, work out exactly what that traffic is you can't really be sure exactly what's going on.

If you approach Virgin complaining that you're getting UDP based traffic from one of their DNS servers targetted at your public IP address I suspect that they will most likely just ignore you - if you expect them to actually do anything about it you really need a lot more information.

My suggestion? Unless it's actually causing you a problem just adjust your network defences to compensate and then move on. If you can't, or won't, do that then you're going to need to do a lot more investigation and work to resolve this one.

Sound advice there, you'd be very wise to listen, carefully. :)

dev
04-01-2010, 17:44
I would expect its Virgin's DNS servers replying on different ports due to the security hole found in BIND and so it's more of a false positive from your IPS.