Full Disclosure mailing list archives
Weird dns queries increasing
From: "Golden Faron P Contr HQ SSG/XOON" <Faron.Golden () Gunter AF mil>
Date: Wed, 15 Oct 2003 16:28:36 -0500
We have been observing a steadily increasing rate of malformed DNS packets with predictable characteristics that do not exactly match any of the current discussions about malformed DNS packets. The packets are UDP and destined to port 53 from random high ports and from random sources to random hosts. We have seen at least three flavors of malformed DNS query packets with these characteristics: Packet 1 (for lack of a better description) Src: 81.41.208.187 dst: AAA.BBB.239.228 (non-existent host) Src port: 53 dst port: 53 UDP QR Opcode Standard query AA Authoritative answer is False TC Truncation is False RD Recursion desired is False RA Recursion available is True Z 111 RCODE 1110 Number of question records 53380 Number of answer records 16128 Number of Authority records 0 Number of Additional records 0 Packet 2 Src: 216.233.100.27 dst: AAA.BBB.234.206 (non-existent host) Src port: 40385 dst port: 53 UDP Opcode Standard query AA Authoritative answer is False TC Truncation is False RD Recursion desired is False RA Recursion available is True Z 111 RCODE 1110 Number of question records 1155 Number of answer records 16128 Number of Authority records 0 Number of Additional records 0 Packet 3 Src: 66.227.160.128 dst: AAA.BBB.217.234 (non-existent host) Src port: 53 dst port: 53 UDP Opcode Standard query AA Authoritative answer is False TC Truncation is False RD Recursion desired is False RA Recursion available is True Z 111 RCODE 1110 Number of question records 53380 Number of answer records 16166 Number of Authority records 8 Number of Additional records 5082 Question Records Question Record 1 1110 Any ideas? Faron
Current thread:
- Weird dns queries increasing Golden Faron P Contr HQ SSG/XOON (Oct 15)