Security Incidents mailing list archives
Re: constant flow of root queries
From: Bojan Zdrnja <bojan.zdrnja () gmail com>
Date: Thu, 19 Jan 2006 19:15:00 +1300
On 1/19/06, Brian Collins <listbc () newnanutilities org> wrote:
Good day folks. This morning an admin asked us to check on a large amount of traffic targeting several DNS servers in our network (both our own DNS servers and customer co-located DNS servers). In looking at the traffic I see that the source is making several queries a second for DNS root. I have included a small sample from tcpdump below. Not sure what the motive is here. The TTLs are all 235. The random source ports makes me think possibly spoofed traffic. I can put packet dumps up on a website in libpcap format if anyone is interested. They are still going on as I type this. Thanks for any insight you can lend. 08:44:31.681706 IP 207.210.68.202.18257 > 216.130.152.71.53: 7127+ [1au] ANY ANY? . (28) 08:44:31.935719 IP 207.210.68.202.17460 > 216.130.152.71.53: 16133+ [1au] ANY ANY? . (28)
It could be a DoS attack on 207.210.68.202 from an unkown attacker, using your DNS servers. The query for the root servers generates a nice response which can be used to flood the target (small query, big response). As you know what the TTL of incoming packets is (235), you can do a traceroute to this IP address from your network and see what number of hops you will get - that will help you to determine if the packet is spoofed or not. Cheers, Bojan
Current thread:
- constant flow of root queries Brian Collins (Jan 18)
- Re: constant flow of root queries ilaiy (Jan 19)
- Re: constant flow of root queries Bojan Zdrnja (Jan 19)
- Re: constant flow of root queries Dude VanWinkle (Jan 20)
- Re: constant flow of root queries Kerry Thompson (Jan 23)