lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B797D6B8F959944ABB368EB397389A703482382@fsjubj10.exchange.gunter.af.mil>
From: Faron.Golden at Gunter.AF.mil (Golden Faron P Contr HQ SSG/XOON)
Subject: Weird dns queries increasing

We have been observing a steadily increasing rate of malformed DNS
packets with predictable characteristics that do not exactly match any
of the current discussions about malformed DNS packets.  The packets are
UDP and destined to port 53 from random high ports and from random
sources to random hosts.  We have seen at least three flavors of
malformed DNS query packets with these characteristics:

Packet 1 (for lack of a better description)
Src:  81.41.208.187		dst: AAA.BBB.239.228  (non-existent
host)
Src port: 53			dst port: 53
UDP
QR
Opcode		Standard query
AA		Authoritative answer is False
TC		Truncation is False
RD		Recursion desired is False
RA		Recursion available is True
Z		111
RCODE		1110
Number of question records	53380
Number of answer records	16128
Number of Authority records	0
Number of Additional records	0

Packet 2
Src:  216.233.100.27		dst:  AAA.BBB.234.206 (non-existent
host)
Src port:  40385			dst port: 53
UDP
Opcode		Standard query
AA		Authoritative answer is False
TC		Truncation is False
RD		Recursion desired is False
RA		Recursion available is True
Z		111
RCODE		1110
Number of question records	1155
Number of answer records	16128
Number of Authority records	0
Number of Additional records	0

Packet 3
Src:  66.227.160.128		dst:  AAA.BBB.217.234 (non-existent
host)
Src port: 53			dst port: 53
UDP
Opcode		Standard query
AA		Authoritative answer is False
TC		Truncation is False
RD		Recursion desired is False
RA		Recursion available is True
Z		111
RCODE		1110
Number of question records	53380
Number of answer records	16166
Number of Authority records	8
Number of Additional records	5082
Question Records
	Question Record	1			1110

Any ideas?

Faron

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031015/abf94e56/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ