IDS mailing list archives
Re: DNS packet analysis.
From: "Mark Cooper" <mark () mhc-online co uk>
Date: Wed, 11 Dec 2002 21:47:27 -0000
Hi V.Jay, There is nothing malicious happening here. Each DNS response comes in two legitimate-looking fragments, for a total of 1480+575=2055 bytes. By "legitimate looking", I mean that the first fragment is always at offset 0 and of 1480bytes, and the second starts at offset 1480. Nothing untowards here. It shows that the MTU of at least part of the path between DNS.server.com and outside.guy.com is 1480 bytes. I understand that this is the default MTU for Win/XP using PPPoE. Hope this helps. Regards, Mark --- Mark Cooper SANS GCIA ----- Original Message ----- From: "larosa, vjay" <larosa_vjay () emc com> To: <focus-ids () securityfocus com> Sent: Wednesday, December 11, 2002 8:37 PM Subject: DNS packet analysis.
Hello, These packets were caught using a shadow IDS sensor. I was hoping that somebody in the list could help me understand what is happening below. I am
familiar
with snort and tcpdump, as well as the concept of packet fragmentation. I am mostly interested in finding out about the DNS requests being made, and why they come back fragmented. TIA. vjl 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162 [1au][|domain] (DF) 12:15:24.152128 DNS.server.com.33795 > outside.guy.com.domain: 46806 [1au][|domain] (DF) 12:15:24.157454 DNS.server.com.33795 > outside.guy.com.domain: 9239 [1au][|domain] (DF) 12:15:24.158551 DNS.server.com.33795 > outside.guy.com.domain: 46805 [1au][|domain] (DF) 12:15:24.159592 DNS.server.com.33795 > outside.guy.com.domain: 50353 [1au][|domain] (DF) 12:15:24.160626 DNS.server.com.33795 > outside.guy.com.domain: 17807 [1au][|domain] (DF) 12:15:24.161826 DNS.server.com.33795 > outside.guy.com.domain: 19219 [1au][|domain] (DF) 12:15:24.163753 DNS.server.com.33795 > outside.guy.com.domain: 59633 [1au][|domain] (DF) 12:15:24.164545 DNS.server.com.33795 > outside.guy.com.domain: 18273 [1au][|domain] (DF) 12:15:24.165679 DNS.server.com.33795 > outside.guy.com.domain: 48440 [1au][|domain] (DF) 12:15:24.166673 DNS.server.com.33795 > outside.guy.com.domain: 61217 [1au][|domain] (DF) 12:15:24.167800 DNS.server.com.33795 > outside.guy.com.domain: 29311 [1au][|domain] (DF) 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795: 56162[|domain] (frag 48818:1480@0+) 12:15:24.171040 outside.guy.com > DNS.server.com: (frag 48818:575@1480) 12:15:24.295598 outside.guy.com.domain > DNS.server.com.33795: 46806[|domain] (frag 48819:1480@0+) 12:15:24.295649 outside.guy.com > DNS.server.com: (frag 48819:575@1480) 12:15:24.333422 outside.guy.com.domain > DNS.server.com.33795: 9239[|domain] (frag 48820:1480@0+) 12:15:24.333473 outside.guy.com > DNS.server.com: (frag 48820:575@1480) 12:15:24.360503 outside.guy.com.domain > DNS.server.com.33795: 46805[|domain] (frag 48821:1480@0+) 12:15:24.360554 outside.guy.com > DNS.server.com: (frag 48821:575@1480) 12:15:24.392889 outside.guy.com.domain > DNS.server.com.33795: 50353[|domain] (frag 48822:1480@0+) 12:15:24.392940 outside.guy.com > DNS.server.com: (frag 48822:575@1480) 12:15:24.428942 outside.guy.com.domain > DNS.server.com.33795: 17807[|domain] (frag 48823:1480@0+) 12:15:24.428994 outside.guy.com > DNS.server.com: (frag 48823:575@1480) 12:15:24.459730 outside.guy.com.domain > DNS.server.com.33795: 19219[|domain] (frag 48824:1480@0+) 12:15:24.459781 outside.guy.com > DNS.server.com: (frag 48824:575@1480) 12:15:24.494179 outside.guy.com.domain > DNS.server.com.33795: 59633[|domain] (frag 48825:1480@0+) 12:15:24.494232 outside.guy.com > DNS.server.com: (frag 48825:575@1480) 12:15:24.525783 outside.guy.com.domain > DNS.server.com.33795: 18273[|domain] (frag 48826:1480@0+) 12:15:24.525841 outside.guy.com > DNS.server.com: (frag 48826:575@1480) 12:15:24.559128 outside.guy.com.domain > DNS.server.com.33795: 48440[|domain] (frag 48827:1480@0+) 12:15:24.559176 outside.guy.com > DNS.server.com: (frag 48827:575@1480) 12:15:24.594751 outside.guy.com.domain > DNS.server.com.33795: 61217[|domain] (frag 48828:1480@0+) 12:15:24.594801 outside.guy.com > DNS.server.com: (frag 48828:575@1480) 12:15:24.624849 outside.guy.com.domain > DNS.server.com.33795: 29311[|domain] (frag 48829:1480@0+) 12:15:24.624903 outside.guy.com > DNS.server.com: (frag 48829:575@1480) 12:23:55.499215 DNS.server.com.33795 > outside.guy.com.domain: 4322 [1au][|domain] (DF) 12:23:55.641310 outside.guy.com.domain > DNS.server.com.33795: 4322[|domain] (frag 48830:1480@0+) 12:23:55.641364 outside.guy.com > DNS.server.com: (frag 48830:575@1480) 12:26:55.978869 ns2.lss.emc.com.61962 > outside.guy.com.domain: 40970 [1au][|domain] (DF) 12:26:56.127074 outside.guy.com.domain > ns2.lss.emc.com.61962: 40970[|domain] (frag 6266:1480@0+) 12:26:56.127125 outside.guy.com > ns2.lss.emc.com: (frag 6266:575@1480) V.Jay LaRosa EMC Corporation Information Security 171 South Street (508)249-3355 office Hopkinton, MA 01748 (508)498-5575 cell www.emc.com (888-799-9750 pager larosa_vjay () emc com (508)497-8082 fax
Current thread:
- DNS packet analysis. larosa, vjay (Dec 11)
- Re: DNS packet analysis. Mark Cooper (Dec 11)