Ask a question

    Reply
    Highlighted
    Posted Jul 10, 2010
    3:01:04 PM
    View profile
    anyone else getting "malicious response" from AT&T servers

    We have been experiencing some issues with our DC among other things. I started taking a look at the gateway logs and noticed malicious responses from the DNS server that keeps coming up... any ideas or has anyone seen this before?

     

    model HGV3800B

    Hardware Version2700-100531-006
    Software Version6.1.9.24-enh.tm
    INF2010-07-10T04:19:50-05:00named:  Previous log entry repeated 1 times
    INF2010-07-10T04:20:19-05:00cwmd:  session completed successfully
    INF2010-07-10T04:20:34-05:00system:  memfs: compression completed
    INF2010-07-10T04:20:36-05:00named:  dropped malicious resp from 68.94.156.1
    INF2010-07-10T16:55:35-05:00named:  Previous log entry repeated 1790 times

     

     

    anyone else getting "malicious response" from AT&T servers

    608 views
    4 replies
    (0) Me too
    (0) Me too
    Post reply
    View all replies
    (4)
    0
    (0)
    • Rate this reply
    View profile
    Jul 10, 2010 10:46:04 PM
    0
    (0)
    Employee

    That is an unfortunate choice of words for an error message that indicates that a legal and valid DNS server (but not the one that was requested) responded to the DNS request.

     

    It frequently is that the first server request times out, so a second server is tried, then the first one responds (for watever reason) albiet very late.

     

    If you capture the process with Wireshark or similar, you can see the specific sequence; It's consistent. THe Malicious server is still one of the 68.94.156.1 or 157.1 ... every time.

     

    Usually, once the requested address is in the RG's chache, the error drops off until the next (previously unused address) lookup happens.

     

    My understanding is that the unfortunate language will be replaced with something more accurate (and less alarming) in the mext maintenance release.

     

     

    Sent from my phone.
    *I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.

    Re: anyone else getting "malicious response" from AT&T servers

    2 of 5 (608 Views)
    0
    (0)
    • Rate this reply
    View profile
    Jul 11, 2010 2:02:52 AM
    0
    (0)
    Contributor

    Thanks for the clarification.

     

    Re: anyone else getting "malicious response" from AT&T servers

    3 of 5 (608 Views)
    0
    (0)
    • Rate this reply
    View profile
    Sep 23, 2010 4:25:43 AM
    0
    (0)
    Contributor

    I too have been receiving the "Malicious Response" from the same IP address over the course of several months. I'm not sure I agree with the response (answer) you recieved. I could accept the explanation if you were only recieving a few responses, but since your log (and mine) often show over 1000 responses it doesn't make sense to me.

     

    In my case, here's some additional information you may want to investigate on your network:

     

    After these malicious response messages started I started noticing devices attaching to my internal network. The MAC addresses that would show up in the logs did not belong to any of my equipment on the network. The Level III technicians tell me this can't happen, yet these devices kept showing up. Each time I would clear all my connections, reset passwords (using 35 characters for system and wireless passwords), change the internal IP Addressing scheme, apply MAC Filtering to block these MAC addresses  etc.... and these devices, after a few days, would begin showing up again. I went through this process four times before I finally requested a new "RG" (Residential Gateway) be installed, this would change both my external IP Address and the MAC address. The tech came last night and installed the new gateway. Checking my logs this morning I find only a few malicious responses coming from that IP Address, instead of the 1000's I used to receive. I  have not noticed any "rouge" devices yet but it is too early to tell if this issue has been resolved. It would usually take a few days, after I cleared/changed everything, for these devices to start showing up again.

     

    I can't expain why/how any of this happened yet, neither can the AT&T engineers, but it is my humble opinion that something is "up" with that particular DNS Server. As a Security Analyst I would be very interested in understanding what the cause of these messages really is, what's going on with that server and how did someone obtain an internal IP address from my network when I had implemented every security process I am aware of to prevent it.

     

    I don't suppose any of this will make you sleep better at night but I googled the @$#%@ out of this issue and couldn't come up with anything to explain it so I thought I would share my experience with you.

    Re: anyone else getting "malicious response" from AT&T servers

    4 of 5 (608 Views)
    0
    (0)
    • Rate this reply
    View profile
    Sep 23, 2010 12:13:12 PM
    0
    (0)
    Employee

     


    clinescomputing wrote:

    I too have been receiving the "Malicious Response" from the same IP address over the course of several months. I'm not sure I agree with the response (answer) you recieved. I could accept the explanation if you were only recieving a few responses, but since your log (and mine) often show over 1000 responses it doesn't make sense to me.

     

    In my case, here's some additional information you may want to investigate on your network:

     

    After these malicious response messages started I started noticing devices attaching to my internal network. The MAC addresses that would show up in the logs did not belong to any of my equipment on the network. The Level III technicians tell me this can't happen, yet these devices kept showing up. Each time I would clear all my connections, reset passwords (using 35 characters for system and wireless passwords), change the internal IP Addressing scheme, apply MAC Filtering to block these MAC addresses  etc.... and these devices, after a few days, would begin showing up again. I went through this process four times before I finally requested a new "RG" (Residential Gateway) be installed, this would change both my external IP Address and the MAC address. The tech came last night and installed the new gateway. Checking my logs this morning I find only a few malicious responses coming from that IP Address, instead of the 1000's I used to receive. I  have not noticed any "rouge" devices yet but it is too early to tell if this issue has been resolved. It would usually take a few days, after I cleared/changed everything, for these devices to start showing up again.

     

    I can't expain why/how any of this happened yet, neither can the AT&T engineers, but it is my humble opinion that something is "up" with that particular DNS Server. As a Security Analyst I would be very interested in understanding what the cause of these messages really is, what's going on with that server and how did someone obtain an internal IP address from my network when I had implemented every security process I am aware of to prevent it.

     

    I don't suppose any of this will make you sleep better at night but I googled the @$#%@ out of this issue and couldn't come up with anything to explain it so I thought I would share my experience with you.


    If you catch a trace of the bi-directional traffic, you will see that it is exactly as described (aside from some simplification to prevent non-tecchnical people's heads from exploding). If something / someone else is poppoing up on your system, it's not AT&T / U-Verse's fault.

     

    Sent from my phone.
    *I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.

    Re: anyone else getting "malicious response" from AT&T servers

    5 of 5 (608 Views)
    Share this post
    Share this post