[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Weird dns queries increasing
- To: <full-disclosure@lists.netsys.com>
- Subject: [Full-Disclosure] Weird dns queries increasing
- From: "Golden Faron P Contr HQ SSG/XOON" <Faron.Golden@Gunter.AF.mil>
- Date: Wed, 15 Oct 2003 16:28:36 -0500
We have been observing a steadily increasing rate of malformed DNS
packets with predictable characteristics that do not exactly match any
of the current discussions about malformed DNS packets. The packets are
UDP and destined to port 53 from random high ports and from random
sources to random hosts. We have seen at least three flavors of
malformed DNS query packets with these characteristics:
Packet 1 (for lack of a better description)
Src: 81.41.208.187 dst: AAA.BBB.239.228 (non-existent
host)
Src port: 53 dst port: 53
UDP
QR
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 53380
Number of answer records 16128
Number of Authority records 0
Number of Additional records 0
Packet 2
Src: 216.233.100.27 dst: AAA.BBB.234.206 (non-existent
host)
Src port: 40385 dst port: 53
UDP
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 1155
Number of answer records 16128
Number of Authority records 0
Number of Additional records 0
Packet 3
Src: 66.227.160.128 dst: AAA.BBB.217.234 (non-existent
host)
Src port: 53 dst port: 53
UDP
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 53380
Number of answer records 16166
Number of Authority records 8
Number of Additional records 5082
Question Records
Question Record 1 1110
Any ideas?
Faron