IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS packet analysis.

From: "Mark Cooper" <mark () mhc-online co uk>
Date: Wed, 11 Dec 2002 21:47:27 -0000
Hi V.Jay,

There is nothing malicious happening here.

Each DNS response comes in two legitimate-looking fragments, for a total of
1480+575=2055 bytes. By "legitimate looking", I mean that the first fragment
is always at offset 0 and of 1480bytes, and the second starts at offset
1480. Nothing untowards here.

It shows that the MTU of at least part of the path between DNS.server.com
and outside.guy.com is 1480 bytes. I understand that this is the default MTU
for Win/XP using PPPoE.

Hope this helps.

Regards,

Mark
---
Mark Cooper
SANS GCIA


----- Original Message -----
From: "larosa, vjay" <larosa_vjay () emc com>
To: <focus-ids () securityfocus com>
Sent: Wednesday, December 11, 2002 8:37 PM
Subject: DNS packet analysis.



Hello,

These packets were caught using a shadow IDS sensor. I was hoping that
somebody
in the list could help me understand what is happening below. I am

familiar

with snort
and tcpdump, as well as the concept of packet fragmentation. I am mostly
interested in
finding out about the DNS requests being made, and why they come back
fragmented.

TIA.

vjl

12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain:  56162
[1au][|domain] (DF)
12:15:24.152128 DNS.server.com.33795 > outside.guy.com.domain:  46806
[1au][|domain] (DF)
12:15:24.157454 DNS.server.com.33795 > outside.guy.com.domain:  9239
[1au][|domain] (DF)
12:15:24.158551 DNS.server.com.33795 > outside.guy.com.domain:  46805
[1au][|domain] (DF)
12:15:24.159592 DNS.server.com.33795 > outside.guy.com.domain:  50353
[1au][|domain] (DF)
12:15:24.160626 DNS.server.com.33795 > outside.guy.com.domain:  17807
[1au][|domain] (DF)
12:15:24.161826 DNS.server.com.33795 > outside.guy.com.domain:  19219
[1au][|domain] (DF)
12:15:24.163753 DNS.server.com.33795 > outside.guy.com.domain:  59633
[1au][|domain] (DF)
12:15:24.164545 DNS.server.com.33795 > outside.guy.com.domain:  18273
[1au][|domain] (DF)
12:15:24.165679 DNS.server.com.33795 > outside.guy.com.domain:  48440
[1au][|domain] (DF)
12:15:24.166673 DNS.server.com.33795 > outside.guy.com.domain:  61217
[1au][|domain] (DF)
12:15:24.167800 DNS.server.com.33795 > outside.guy.com.domain:  29311
[1au][|domain] (DF)
12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:
56162[|domain] (frag 48818:1480@0+)
12:15:24.171040 outside.guy.com > DNS.server.com: (frag 48818:575@1480)
12:15:24.295598 outside.guy.com.domain > DNS.server.com.33795:
46806[|domain] (frag 48819:1480@0+)
12:15:24.295649 outside.guy.com > DNS.server.com: (frag 48819:575@1480)
12:15:24.333422 outside.guy.com.domain > DNS.server.com.33795:
9239[|domain] (frag 48820:1480@0+)
12:15:24.333473 outside.guy.com > DNS.server.com: (frag 48820:575@1480)
12:15:24.360503 outside.guy.com.domain > DNS.server.com.33795:
46805[|domain] (frag 48821:1480@0+)
12:15:24.360554 outside.guy.com > DNS.server.com: (frag 48821:575@1480)
12:15:24.392889 outside.guy.com.domain > DNS.server.com.33795:
50353[|domain] (frag 48822:1480@0+)
12:15:24.392940 outside.guy.com > DNS.server.com: (frag 48822:575@1480)
12:15:24.428942 outside.guy.com.domain > DNS.server.com.33795:
17807[|domain] (frag 48823:1480@0+)
12:15:24.428994 outside.guy.com > DNS.server.com: (frag 48823:575@1480)
12:15:24.459730 outside.guy.com.domain > DNS.server.com.33795:
19219[|domain] (frag 48824:1480@0+)
12:15:24.459781 outside.guy.com > DNS.server.com: (frag 48824:575@1480)
12:15:24.494179 outside.guy.com.domain > DNS.server.com.33795:
59633[|domain] (frag 48825:1480@0+)
12:15:24.494232 outside.guy.com > DNS.server.com: (frag 48825:575@1480)
12:15:24.525783 outside.guy.com.domain > DNS.server.com.33795:
18273[|domain] (frag 48826:1480@0+)
12:15:24.525841 outside.guy.com > DNS.server.com: (frag 48826:575@1480)
12:15:24.559128 outside.guy.com.domain > DNS.server.com.33795:
48440[|domain] (frag 48827:1480@0+)
12:15:24.559176 outside.guy.com > DNS.server.com: (frag 48827:575@1480)
12:15:24.594751 outside.guy.com.domain > DNS.server.com.33795:
61217[|domain] (frag 48828:1480@0+)
12:15:24.594801 outside.guy.com > DNS.server.com: (frag 48828:575@1480)
12:15:24.624849 outside.guy.com.domain > DNS.server.com.33795:
29311[|domain] (frag 48829:1480@0+)
12:15:24.624903 outside.guy.com > DNS.server.com: (frag 48829:575@1480)
12:23:55.499215 DNS.server.com.33795 > outside.guy.com.domain:  4322
[1au][|domain] (DF)
12:23:55.641310 outside.guy.com.domain > DNS.server.com.33795:
4322[|domain] (frag 48830:1480@0+)
12:23:55.641364 outside.guy.com > DNS.server.com: (frag 48830:575@1480)
12:26:55.978869 ns2.lss.emc.com.61962 > outside.guy.com.domain:  40970
[1au][|domain] (DF)
12:26:56.127074 outside.guy.com.domain > ns2.lss.emc.com.61962:
40970[|domain] (frag 6266:1480@0+)
12:26:56.127125 outside.guy.com > ns2.lss.emc.com: (frag 6266:575@1480)


V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay () emc com
(508)497-8082 fax
Previous By Date Next
Previous By Thread Next

Current thread: