Detected DNS cache poisoning attack?

Wondering what it is. I got several of them today, and straight after deleting from the log- They appeared again.

IP pinpoints to China. No company or anything thats registered to it.

 

Im getting more of these messages in real time now.

 

Anyone? The IP which is the source is: "113.105.171.112:53"
"113.105.169.115:53"

What does this mean?

 

Anyone?

 

Hello again satasonic!

So it's not Akamai this time?

And what were you doing when you saw the first attack?

 

Do you recognize those DNS IPs has belonging to your ISP (Internet Service Provider)? 53 means it's DNS.

Have you verified your router settings / Windows networking settings to verify whether or not your ISP DNS IPs have been changed to those?

 

Good day SweX, m00n

They didnt come up for an hour, but at that time I was just browsing different forums. Then I checked my firewall, and several of those messages were there. I deleted the log and went back to browsing, and when I checked in 5 mins there were several of them already there.


Im not on a router, im on a regular modem. Im from Australia- I dont think those IP ranges belong to my ISP since they seem to be located in China (?).

Thanks for the comments. Can it be a false positive?

Ps. Been using ESS for 3 years. Sadly in the last week problems started crashing out upon me

 

Open Windows command line and type ipconfig /all. See what IPs you get for the DNS Servers.

 

One question though- You said that the :53 at the end means something. Could you please explain it in easy language?

 

I also thought that Chinese might actually do that sort of stuff? I dont know what they do but it seems that most attacks originate from China to many users.

 

Satasonic.
Make a search on those IP's on this site and you will find more info about them http://tools.whois.net/whoisbyip/

Without the :53 at the end. Just like this 113.105.171.112

Edit: hmmm on my first search on this IP, the report did mention Brisbane.
But on the second search only China Telecom, weird.

 

I got the same, first it stated both china and brisbane, then only china. The attacks stopped now, so maybe it was just a false positive. Hopefully it was just normal network traddic

 

OK.

53 means it's port 53. Port 53 is bound to DNS (Domain Name System). DNS translates domains (such as www.wilderssecurity.com) to their respective IP addresses.

Read more about DNS cache poisoning -https://secure.wikimedia.org/wikipedia/en/wiki/DNS_cache_poisoning

-http://isc.sans.edu/presentations/dnspoisoning.html

I'd believe there could be some problem with your ISP, perhaps. Try to get in touch with them and explain the situation... who knows.

But, exclude the possibility that your system is compromised by malware. Some malware changes the DNS IPs in our systems.

I don't know if Eset reports such situations as also being DNS cache poisoning, due to traffic being redirected as well.

Eset support will known better than me, that's for sure.

One thing I know, if Eset is blocking those IPs belong to DNS servers that are not your ISPs, then something isn't right.

Have you performed the command I mentioned? Open Windows cmd line and type ipconfig /all

See what IPs are in the DNS servers part.

-edit-

Take a look here -https://secure.dshield.org/ipinfo.html?ip=113.105.171.112