[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] (Fwd) Re: more malformed DNS queries
- To: full-disclosure@lists.netsys.com
- Subject: [Full-Disclosure] (Fwd) Re: more malformed DNS queries
- From: "Bill Scherr IV, GSEC, GCIA" <bschnzl@cotse.net>
- Date: Wed, 15 Oct 2003 19:38:27 -0400
AYup...
It started circa 26 Sept... Any ideas?
B.
------- Forwarded message follows -------
Date sent: Tue, 14 Oct 2003 08:48:40 -0400
From: George Bakos <gbakos@ists.dartmouth.edu>
To: {snipped}
Copies to: intrusions@incidents.org
Subject: Re: more malformed DNS queries
Organization: Dartmouth College - ISTS
{more snip}
This appears to be part of a fairly sophisticated dns fingerprinting
effort that we are currently investigating.
Could you, and anyone else that is seeing this traffic, possibly provide
packet logs and/or binary captures?
A tcpdump filter that has been 100% effective, thus far, is:
dst port 53 and (udp[8] = 1 and (udp[12:2] > 1000 or udp[14:2] > 1000
or udp[16:2] > 1000 or udp[18:2] > 1000 or udp[10:4] = 0))
Thanks!
g
On Mon, 13 Oct 2003 22:05:46 -0400
Tyler <tyler@hudakville.com> wrote:
> Today I saw a laptop on my VPN sending a large amount of
> malformed DNS requests to seemingly random destination
addresses.
{another snip}
--
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos@ists.dartmouth.edu
------- End of forwarded message -------
Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT 05663
802-485-1962
Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT 05663
802-485-1962
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html