Port Scan from Virgin DNS Server
04-01-2010, 10:23
|
#1
|
|
Inactive
Join Date: Jan 2010
Posts: 2
|
Port Scan from Virgin DNS Server
I have the following IPS alert from my Cisco box:
No.001 Dec 27 22:34:51 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.002 Dec 27 22:34:51 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.003 Dec 27 22:34:52 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.004 Dec 27 22:34:53 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.005 Dec 27 22:34:54 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.006 Dec 27 22:34:55 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.007 Dec 27 22:34:55 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.008 Dec 27 22:34:57 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.009 Dec 27 22:34:57 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.010 Dec 27 22:34:58 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.011 Dec 27 22:34:58 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.012 Dec 27 22:35:00 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.013 Dec 27 22:35:03 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.014 Dec 27 22:35:04 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.015 Dec 27 22:39:56 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.016 Dec 27 22:39:56 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.017 Dec 27 22:39:59 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.018 Dec 27 22:39:59 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.019 Dec 27 22:40:00 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
No.020 Dec 27 22:40:01 - [Firewall Log-PORT SCAN] UDP Packet - 194.168.4.100 --> (my external IP)
Anyone ever heard of Virgin doing this?
|
|
|
|
04-01-2010, 10:27
|
#2
|
|
Inactive
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
|
Re: Port Scan from Virgin DNS Server
How are you sure it's a port scan?
There are no port numbers listed there, if it is a port scan then I'd expect to see that same IP address sending packets to multiple ports on your IP.
|
|
|
|
|
04-01-2010, 12:06
|
#3
|
|
cf.mega poster
Join Date: Jun 2003
Location: Mansfield, Notts
Age: 44
Services: Virgin Media Telephone and 100Mb broadband, Sky Q
Posts: 1,996
|
Re: Port Scan from Virgin DNS Server
BTW, 194.168.4.100(and 194.168.8.100) are the Virgin DNS cluster addresses.
|
|
|
|
|
04-01-2010, 12:50
|
#4
|
|
Inactive
Join Date: Jan 2010
Posts: 2
|
Re: Port Scan from Virgin DNS Server
I know. Whch is why I'm considering sending them a letter asking for an explanation.
As for which ports, I cannot tell. The log does not provide such data. Ultimately, it's not illegal, but I do think it's suspicious.
|
|
|
|
|
04-01-2010, 12:57
|
#5
|
|
Inactive
Join Date: Oct 2008
Posts: 27
|
Re: Port Scan from Virgin DNS Server
It's probably DNS traffic, given that it appears to be only UDP and taking into account the source. Possibly a broken NAT on your end?
You need to capture the packets before anyone will take it even half seriously.
|
|
|
|
|
04-01-2010, 13:04
|
#6
|
|
Inactive
Join Date: Feb 2004
Location: There's no place like 127.0.0.1
Services: Depends on the person and the price they're offering
Posts: 12,384
|
Re: Port Scan from Virgin DNS Server
Good luck getting an answer to your letter, this behaviour is most likely either a) your IPS mis-interpreting legitimate behaviour of the DNS system, or b) something borked within your network which is causing legitimate DNS traffic to be misinterpreted, or c) some form of unintentional malformation in the DNS data packets originating from that server which is confusing your IPS, or d) the originating IP address (the DNS server) is being spoofed and the scans are actually not scans at all, but some form of (rather lame) DDOS against your IP, or e) the packets that appear to be coming from the originating IP address (the DNS server) is being spoofed to generate excess entries in your IPS/IDS/Firewall logs in order to hide other activity/scanning/hacking attempts.
Unless you can get more information from your logs and then, by combining that with other sources of information about the activity across your network, work out exactly what that traffic is you can't really be sure exactly what's going on.
If you approach Virgin complaining that you're getting UDP based traffic from one of their DNS servers targetted at your public IP address I suspect that they will most likely just ignore you - if you expect them to actually do anything about it you really need a lot more information.
My suggestion? Unless it's actually causing you a problem just adjust your network defences to compensate and then move on. If you can't, or won't, do that then you're going to need to do a lot more investigation and work to resolve this one.
|
|
|
|
|
04-01-2010, 13:58
|
#7
|
|
Inactive
Join Date: Feb 2008
Location: Swindon
Services: TiVo
110MB BB
Phone Line
Posts: 3,087
|
Re: Port Scan from Virgin DNS Server
Quote:
Originally Posted by Rob M
Good luck getting an answer to your letter, this behaviour is most likely either a) your IPS mis-interpreting legitimate behaviour of the DNS system, or b) something borked within your network which is causing legitimate DNS traffic to be misinterpreted, or c) some form of unintentional malformation in the DNS data packets originating from that server which is confusing your IPS, or d) the originating IP address (the DNS server) is being spoofed and the scans are actually not scans at all, but some form of (rather lame) DDOS against your IP, or e) the packets that appear to be coming from the originating IP address (the DNS server) is being spoofed to generate excess entries in your IPS/IDS/Firewall logs in order to hide other activity/scanning/hacking attempts.
Unless you can get more information from your logs and then, by combining that with other sources of information about the activity across your network, work out exactly what that traffic is you can't really be sure exactly what's going on.
If you approach Virgin complaining that you're getting UDP based traffic from one of their DNS servers targetted at your public IP address I suspect that they will most likely just ignore you - if you expect them to actually do anything about it you really need a lot more information.
My suggestion? Unless it's actually causing you a problem just adjust your network defences to compensate and then move on. If you can't, or won't, do that then you're going to need to do a lot more investigation and work to resolve this one.
|
Sound advice there, you'd be very wise to listen, carefully. 
|
|
|
|
|
04-01-2010, 16:44
|
#8
|
|
Inactive
Join Date: Jan 2004
Posts: 1,164
|
Re: Port Scan from Virgin DNS Server
I would expect its Virgin's DNS servers replying on different ports due to the security hole found in BIND and so it's more of a false positive from your IPS.
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +1. The time now is 06:29.
|
Join CF
You are here: 
