[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B797D6B8F959944ABB368EB397389A703482382@fsjubj10.exchange.gunter.af.mil>
From: Faron.Golden at Gunter.AF.mil (Golden Faron P Contr HQ SSG/XOON)
Subject: Weird dns queries increasing
We have been observing a steadily increasing rate of malformed DNS
packets with predictable characteristics that do not exactly match any
of the current discussions about malformed DNS packets. The packets are
UDP and destined to port 53 from random high ports and from random
sources to random hosts. We have seen at least three flavors of
malformed DNS query packets with these characteristics:
Packet 1 (for lack of a better description)
Src: 81.41.208.187 dst: AAA.BBB.239.228 (non-existent
host)
Src port: 53 dst port: 53
UDP
QR
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 53380
Number of answer records 16128
Number of Authority records 0
Number of Additional records 0
Packet 2
Src: 216.233.100.27 dst: AAA.BBB.234.206 (non-existent
host)
Src port: 40385 dst port: 53
UDP
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 1155
Number of answer records 16128
Number of Authority records 0
Number of Additional records 0
Packet 3
Src: 66.227.160.128 dst: AAA.BBB.217.234 (non-existent
host)
Src port: 53 dst port: 53
UDP
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 53380
Number of answer records 16166
Number of Authority records 8
Number of Additional records 5082
Question Records
Question Record 1 1110
Any ideas?
Faron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031015/abf94e56/attachment.html
Powered by blists - more mailing lists