Thats what I suspect is a misconfiguration in that DNS, but I dont see it anywhere. Its negligible traffic, the only reason I even saw it was the deny policy for that subnet incremented quicker than I expected, so I looked. this is a /28 I brought up for some management servers and whatnot, 2 DNS will be there. It looks like actual queries coming into it, but just going nowhere. These DNS servers will only be for our network so the queries will still get dropped at the firewall so there wont be any impact, at this point its just curiosity
On Mon, Oct 12, 2015 at 10:18 AM, Ken Hohhof <[email protected]> wrote: > Is this enough traffic to raise suspicion of an actual attack? Or just a > constant random dribble of DNS queries? If so, and given the queries are > all for the same domain, maybe someone just has the authoritative > nameserver or a delegation set wrong for that domain. Hard to tell since > it is hidden behind Cloudfront. > > If the facts equally support a diagnosis of stupidity or malicious intent, > I would choose stupidity. > > > *From:* Bill Prince <[email protected]> > *Sent:* Monday, October 12, 2015 10:03 AM > *To:* [email protected] > *Subject:* Re: [AFMUG] a lot of traffic to a dead subnet > > Chinese script kiddies > > bp > <part15sbs{at}gmail{dot}com> > > > On 10/11/2015 11:56 PM, That One Guy /sarcasm wrote: > > So this is what I'm seeing > No. Time Source Destination Protocol Length Info > > > > > 1 0 97.244.127.16 x.x.x.29 DNS 80 Standard query 0x0f7f A > ipsx.www.feiwu28.com > 2 0.000041 97.244.127.16 x.x.x.29 DNS 80 Standard query 0x0f7f A > ipsx.www.feiwu28.com > 3 0.152372 108.149.222.68 x.x.x.29 DNS 78 Standard query 0x43de A > wt.www.feiwu28.com > 4 0.152419 108.149.222.68 x.x.x.29 DNS 78 Standard query 0x43de A > wt.www.feiwu28.com > 5 0.284983 77.1.51.122 x.x.x.29 DNS 90 Standard query 0x7933 A > mzybuvoxitajax.www.feiwu28.com 6 0.285022 77.1.51.122 x.x.x.29 DNS 90 Standard > query 0x7933 A mzybuvoxitajax.www.feiwu28.com 7 0.376112 90.5.169.181 > x.x.x.29 DNS 88 Standard query 0xb4a9 A ydghgtwlydqn.www.feiwu28.com 8 > 0.376153 90.5.169.181 x.x.x.29 DNS 88 Standard query 0xb4a9 A > ydghgtwlydqn.www.feiwu28.com 9 0.402671 122.238.197.130 x.x.x.29 DNS 90 > Standard > query 0x81c5 A cnmbabadihghyn.www.feiwu28.com 10 0.402701 122.238.197.130 > x.x.x.29 DNS 90 Standard query 0x81c5 A cnmbabadihghyn.www.feiwu28.com 11 > 0.435507 64.25.181.145 x.x.x.29 DNS 84 Standard query 0x90b5 A > azyxqpov.www.feiwu28.com 12 0.435545 64.25.181.145 x.x.x.29 DNS 84 Standard > query 0x90b5 A azyxqpov.www.feiwu28.com 13 0.479851 35.105.6.37 x.x.x.29 > DNS 92 Standard query 0x2406 A ujyfknkbmvazybip.www.feiwu28.com 14 > 0.479889 35.105.6.37 x.x.x.29 DNS 92 Standard query 0x2406 A > ujyfknkbmvazybip.www.feiwu28.com 15 0.55605 53.94.187.123 x.x.x.29 DNS 86 > Standard > query 0x7abb A udubabytyp.www.feiwu28.com 16 0.556087 53.94.187.123 > x.x.x.29 DNS 86 Standard query 0x7abb A udubabytyp.www.feiwu28.com 17 > 0.764436 83.102.42.152 x.x.x.29 DNS 78 Standard query 0x972a A > yh.www.feiwu28.com > 18 0.764491 83.102.42.152 x.x.x.29 DNS 78 Standard query 0x972a A > yh.www.feiwu28.com > 19 0.794148 123.253.173.4 x.x.x.29 DNS 92 Standard query 0x03ad A > epaxwjolchkhkzkz.www.feiwu28.com 20 0.794189 123.253.173.4 x.x.x.29 DNS 92 > Standard > query 0x03ad A epaxwjolchkhkzkz.www.feiwu28.com 21 0.795351 80.152.25.238 > x.x.x.29 DNS 92 Standard query 0xed19 A ujonopsvixozajwx.www.feiwu28.com > 22 0.795382 80.152.25.238 x.x.x.29 DNS 92 Standard query 0xed19 A > ujonopsvixozajwx.www.feiwu28.com 23 0.799311 69.172.160.207 x.x.x.29 DNS > 92 Standard query 0xcea0 A gfurwzsvonohydun.www.feiwu28.com 24 0.799339 > 69.172.160.207 x.x.x.29 DNS 92 Standard query 0xcea0 A > gfurwzsvonohydun.www.feiwu28.com 25 0.799366 116.108.83.140 x.x.x.29 DNS > 92 Standard query 0x8b53 A utshctevwzczehyj.www.feiwu28.com 26 0.799397 > 116.108.83.140 x.x.x.29 DNS 92 Standard query 0x8b53 A > utshctevwzczehyj.www.feiwu28.com 27 1.351741 95.136.208.159 x.x.x.29 DNS > 78 Standard query 0x9ed0 A kr.www.feiwu28.com > 28 1.351793 95.136.208.159 x.x.x.29 DNS 78 Standard query 0x9ed0 A > kr.www.feiwu28.com > 29 1.351799 126.133.60.242 x.x.x.29 DNS 78 Standard query 0xf13c A > uf.www.feiwu28.com > > On Mon, Oct 12, 2015 at 1:26 AM, CBB - Jay Fuller < > [email protected]> wrote: > >> >> >> i am stupid. >> sounds like a great demonstration. >> wispapaloosa session anyone? >> >> or would this be one of those "hall conversations" i keep hearing about? >> :) >> >> ----- Original Message ----- >> *From:* That One Guy /sarcasm <[email protected]> >> *To:* <[email protected]>[email protected] >> *Sent:* Monday, October 12, 2015 12:27 AM >> *Subject:* Re: [AFMUG] a lot of traffic to a dead subnet >> >> I love these mikrotiks!! >> >> Thanks for pointing out I can just save the file and load it into >> wireshark, drag and dropped it out of winbox to my PC without having to set >> up a cupture for the stream or anything, this is like the greatest thing >> ever, or at least in the last ten minutes >> >> On Fri, Oct 9, 2015 at 3:28 PM, David < <[email protected]> >> [email protected]> wrote: >> >>> use wire shark or SHARKNADO tool >>> >>> >>> On 10/09/2015 03:02 PM, Josh Luthman wrote: >>> >>> Stream it =) >>> >>> >>> Josh Luthman >>> Office: 937-552-2340 >>> Direct: 937-552-2343 >>> 1100 Wayne St >>> Suite 1337 >>> Troy, OH 45373 >>> >>> On Fri, Oct 9, 2015 at 3:57 PM, That One Guy /sarcasm < >>> <[email protected]>[email protected]> wrote: >>> >>>> without dumping it to a server. >>>> the sniffer doesnt seem to have a verbose option that ive read >>>> >>>> On Fri, Oct 9, 2015 at 2:53 PM, Josh Luthman < >>>> <[email protected]>[email protected]> wrote: >>>> >>>>> tools > sniffer >>>>> >>>>> >>>>> Josh Luthman >>>>> Office: 937-552-2340 >>>>> Direct: 937-552-2343 >>>>> 1100 Wayne St >>>>> Suite 1337 >>>>> Troy, OH 45373 >>>>> >>>>> On Fri, Oct 9, 2015 at 3:52 PM, That One Guy /sarcasm < >>>>> <[email protected]>[email protected]> wrote: >>>>> >>>>>> is there a way to get a tcpdump package onto mikrotik >>>>>> >>>>>> On Fri, Oct 9, 2015 at 1:00 PM, Forrest Christian (List Account) < >>>>>> <[email protected]>[email protected]> wrote: >>>>>> >>>>>>> If you can capture the traffic, you may find that it is legitimate >>>>>>> traffic for a misconfigured domain. I.e. some domain has their name >>>>>>> servers listed including that ip. A capture should show which domain >>>>>>> the >>>>>>> query is for. >>>>>>> >>>>>>> I seem to recall the sniffer functionality in a mikrotik will either >>>>>>> decode this, or more likely save and/or stream it so that you can use >>>>>>> Wireshark on a PC to decode. >>>>>>> On Oct 9, 2015 9:12 AM, "That One Guy /sarcasm" < >>>>>>> <[email protected]>[email protected]> wrote: >>>>>>> >>>>>>>> My policy on this interface is default deny, so it is dropping >>>>>>>> them, but its still going on to just the one IP out if the /28 subnet. >>>>>>>> I >>>>>>>> dont mind dropping them, its not noticable bandwidth, I just cant >>>>>>>> figure >>>>>>>> out why it is the traffic is focused there, I almost wonder if I ws to >>>>>>>> stick a DNS server on that IP if it would increase >>>>>>>> >>>>>>>> On Fri, Oct 9, 2015 at 8:08 AM, David < <[email protected]> >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> DDOSDNS bot trying to find a live host for pushing responses. >>>>>>>>> >>>>>>>>> add rule >>>>>>>>> input udp dest-port 53 interface=to internet drop in your firewall >>>>>>>>> >>>>>>>>> hate those little bastards dont have anything else to do except do >>>>>>>>> what their programmed to do >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 10/08/2015 11:42 PM, That One Guy /sarcasm wrote: >>>>>>>>> >>>>>>>>> So I'm at home, turning up a subnet on a mikrotik on the network. >>>>>>>>> Mind you this subnet hasn't been in use in 6 months. This is for some >>>>>>>>> servers so I create a default deny policy with logging. One of the >>>>>>>>> IPs is >>>>>>>>> being hammered on port 53 udp per the packet sniffer. The IP isn't >>>>>>>>> live, >>>>>>>>> its just dropping because of the policy. Its not much bandwidth but >>>>>>>>> as best >>>>>>>>> I can tell its constantl and different IPs. >>>>>>>>> >>>>>>>>> Is the packet sniffer on these things similar to tcpdump, the >>>>>>>>> manual page didn't seem so. All I can guess is these are part of >>>>>>>>> something >>>>>>>>> I'm not related to and since this IP hasn't been live in 6 months its >>>>>>>>> spoofed or something and these are some sort of response packet to a >>>>>>>>> denial >>>>>>>>> of service somewhere else. >>>>>>>>> but this subnet, not this particular IP, will house a couple DNS >>>>>>>>> servers, I just want to make sure theres no shenanigans going on >>>>>>>>> before I >>>>>>>>> turn anything up >>>>>>>>> Without being at the office to wireshark this from a switch, how >>>>>>>>> do I get more out of this mikrotik packet sniffer >>>>>>>>> >>>>>>>>> -- >>>>>>>>> If you only see yourself as part of the team but you don't see >>>>>>>>> your team as part of yourself you have already failed as part of the >>>>>>>>> team. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> If you only see yourself as part of the team but you don't see your >>>>>>>> team as part of yourself you have already failed as part of the team. >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> If you only see yourself as part of the team but you don't see your >>>>>> team as part of yourself you have already failed as part of the team. >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> If you only see yourself as part of the team but you don't see your >>>> team as part of yourself you have already failed as part of the team. >>>> >>> >>> >>> >>> >> >> >> -- >> If you only see yourself as part of the team but you don't see your team >> as part of yourself you have already failed as part of the team. >> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. > > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
