Bugtraq mailing list archives
Re: DNS query spam
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 30 Nov 2005 10:20:31 +0100
* Josep Ma Castells:
I have the same problem, now I'm blocking this attempts with iptables and the Recent module when a number of tries is reached. This is the content of the packet: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/20/05-19:17:37.177173 168.143.XXX.XX:11752 -> YYY.YYY.Y.YY:53 UDP TTL:233 TOS:0x0 ID:34960 IpLen:20 DgmLen:68 DF Len: 48 0x0000: 00 07 95 C2 6A 32 00 04 76 DA CB 14 08 00 45 00 ....j2..v.....E. 0x0010: 00 44 88 90 40 00 E9 11 2A D5 A8 8F 71 0A C0 A8 .D..@...*...q... 0x0020: 04 01 2D E8 00 35 00 30 00 00 20 9E 01 00 00 01 ..-..5.0.. ..... 0x0030: 00 00 00 00 00 01 01 65 05 6D 70 69 73 69 03 63 .......e.mpisi.c 0x0040: 6F 6D 00 00 FF 00 FF 00 00 29 27 10 00 00 00 00 om.......)'..... 0x0050: 00 00 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Interesting. This packet allegedly came from www.anonymizer.com (168.143.113.10). It apparently has undergone NAT, so its contents might have been garbled, but: In contrast to Piotr's packets, this one does contain an OPT RR (type 0x29). The sender buffer length (encoded in the class field of the RR) is set to 10000.
Current thread:
- DNS query spam Piotr Kamisiski (Nov 28)
- Re: DNS query spam Josep Ma Castells (Nov 29)
- Re: DNS query spam Florian Weimer (Nov 30)
- Re: DNS query spam Joe (Nov 30)
- Re: DNS query spam Antone Roundy (Nov 29)
- Re: DNS query spam Stephen Stuart (Nov 30)
- Re: DNS query spam Alexander Lourier (Nov 29)
- Re: DNS query spam Florian Weimer (Nov 29)
- Re: DNS query spam Piotr Kamisiski (Nov 29)
- Re: DNS query spam Jim Pingle (Nov 30)
- Re: DNS query spam Josep Ma Castells (Nov 29)