[dns-operations] Odd DNS Packet

Roland Dobbins rdobbins at cisco.com
Thu Mar 23 06:26:22 UTC 2006 

This looks to me like random DoS-type junk directed at your DNS servers.

On Mar 22, 2006, at 6:45 PM, David Ulevitch wrote:

> Can someone help me decipher this?
>
> 02:43:23.179500 IP 220.185.129.116.19321 > 38.99.14.207.53:  16705 op8
> + [b2&3=0x4141] [16705a] [16705q] [16705n] [16705au][|domain]
>          0x0000:  4500 011c 1edd 0000 3211 d594 dcb9 8174  E.......
> 2......t
>          0x0010:  2663 0ecf 4b79 0035 0108 7e2f 4141 4141  &c..Ky.
> 5..~/AAAA
>          0x0020:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0030:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0040:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0050:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0060:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0070:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0080:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0090:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x00a0:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x00b0:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x00c0:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x00d0:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x00e0:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x00f0:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0100:  4141 4141 4141 4141 4141 4141 4141 4141
> AAAAAAAAAAAAAAAA
>          0x0110:  4141 4141 4141 4141 4141 4141             
> AAAAAAAAAAAA
>
>
> Getting a few thousand a second now.  All kinds of unique sources, I
> am gonna capture a bunch of traces. :-)
>
> Not being nice to my servers.  Or my network.  Don't have PPS counts,
> but it's roughly 36mbps of this and it hurts a lot.
>
> -david
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

      Everything has been said.  But nobody listens.

                    -- Roger Shattuck

More information about the dns-operations mailing list