Intruder 202.176.209.3, of SingTel, Singapore, Uses DNS To Map LAN
Bear in mind, when reading this, that there is absolutely no other traffic on this LN. The LAN is effectively in honey pot mode.
202.176.209.3 seems to be using DNS to map the network. I've seen this before where the attacker floods the outer router with unsolicited DNS replies, uses an ARP attack (Man-in-the-Middle) to block access to the ISP's DNS name servers or otherwise crashes the DNS relay. When an inner Router realizes it has no ability to make DNS requests via DNS relay, it is referred by the next router on the outbound side to it's DNS providers...and the hacker outside watching notes the new requesters IP.
Then, it seems, after tunneling past two other routers, the intruder attempts to obtain a local IP address on a 4th router, via DHCP, and fails. Undaunted, the hacker reattempts the attack 4 hours later, and then again in less than two hours. (The IP is again attacking, attempting to interject packets but just unable to get the sequence right. Too bad 202.176.209.3. As a hacker, you suck!)
Word!
Tue, 2012-02-21 03:35:40 - [DNS lookup failed, force renew!]
Tue, 2012-02-21 03:35:50 - UDP packet - Source: XXX.XXX.XXX.XXX - Destination: YYY.YYY.YYY.YYY - [Access Policy not found, dropping packet Src 67 Dst 68 from WAN]
Tue, 2012-02-21 03:35:53 - UDP packet - Source: XXX.XXX.XXX.XXX - Destination: YYY.YYY.YYY.YYY - [Access Policy not found, dropping packet Src 67 Dst 68 from WAN]
000096: Feb 21 03:35:54.387 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> YYY.YYY.YYY.YYY (11/0), 1 packet
Tue, 2012-02-21 03:35:54 - [Send out NTP Request to 216.245.57.38]
Tue, 2012-02-21 03:36:09 - [NTP Reply Invalid]
Tue, 2012-02-21 03:37:14 - [Send out NTP Request to 209.249.181.21]
Tue, 2012-02-21 03:37:15 - [Receive NTP Reply from 209.249.181.21]
000097: Feb 21 03:40:54.387 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> YYY.YYY.YYY.YYY (11/0), 2 packets
Tue, 2012-02-21 07:30:54 - [DNS lookup failed, force renew!]
Tue, 2012-02-21 07:31:04 - UDP packet - Source: XXX.XXX.XXX.XXX - Destination: XXX.XXX.XXX.XXX45 - [Access Policy not found, dropping packet Src 67 Dst 68 from WAN]
Tue, 2012-02-21 07:31:07 - UDP packet - Source: XXX.XXX.XXX.XXX - Destination: XXX.XXX.XXX.XXX45 - [Access Policy not found, dropping packet Src 67 Dst 68 from WAN]
Tue, 2012-02-21 07:31:08 - [Send out NTP Request to 216.245.57.38]
Tue, 2012-02-21 07:31:23 - [NTP Reply Invalid]
000098: Feb 21 07:31:54.386 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> YYY.YYY.YYY.YYY (11/0), 3 packets
Tue, 2012-02-21 07:32:28 - [Send out NTP Request to 209.249.181.21]
Tue, 2012-02-21 07:32:29 - [Receive NTP Reply from 209.249.181.21]
000099: Feb 21 09:12:54.386 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> YYY.YYY.YYY.YYY (11/0), 3 packets
Categories: uncategorized
Tags: DNS attack 202.176.209.3 202.176.209. 202.176. 202.176 202. 202 ARP
Comments