[dns-operations] udp/49153

Sam Norris Sam at ChangeIP.com
Fri Dec 5 23:14:33 UTC 2008


> I ran tcpdump on the OARC nameserver and captured a few but they
> dont look like DNS to me:
>
> 20:59:46.132091 IP xx.xxx.xxx.xxx.32771 > 149.20.58.65.49153: UDP, length 
> 50
>         0x0000:  4500 004e 45dc 0000 3411 b6fc .... ....
>         0x0010:  9514 3a41 8003 c001 003a 3d40 6c69 6e6b
>         0x0020:  7072 6f6f 662e 7072 6f78 696d 6974 792e
>         0x0030:  6164 7661 6e63 6564 0000 0000 0000 0000
>         0x0040:  0000 0000 0000 0000 0000 0000 0000
>
> Following the UDP header is the character string 
> "linkproof.proximity.advanced"
> which seems to be associated with a product by Radware.

Today there is definately not as many as last week, and I can't find any 
that are actual DNS payload as I did before.

0000   00 30 48 56 3c 19 00 04 23 bd f7 da 08 00 45 00  .0HV<...#.....E.
0010   00 4e 2b 14 00 00 33 11 6b c7 55 0a 24 02 cc 10  .N+...3.k.U.$...
0020   ab a7 8a e8 c0 01 00 3a cb 5d 6c 69 6e 6b 70 72  .......:.]linkpr
0030   6f 6f 66 2e 70 72 6f 78 69 6d 69 74 79 2e 61 64  oof.proximity.ad
0040   76 61 6e 63 65 64 00 00 00 00 00 00 00 00 00 00  vanced..........
0050   00 00 00 00 00 00 00 00 00 00 00 00              ............

The one I just saw is the same as your snippet.  Previously the ones I 
witnessed (without keeping captures dang it) were actual spamhaus RBL 
queries coming to a mirror here.  I am only seeing onsey twoseys now whereas 
last week I was seeing hundreds of thousands from lots of sources.

Sam




More information about the dns-operations mailing list