[dns-operations] udp/49153
Sam Norris
Sam at ChangeIP.com
Fri Dec 5 23:14:33 UTC 2008
> I ran tcpdump on the OARC nameserver and captured a few but they
> dont look like DNS to me:
>
> 20:59:46.132091 IP xx.xxx.xxx.xxx.32771 > 149.20.58.65.49153: UDP, length
> 50
> 0x0000: 4500 004e 45dc 0000 3411 b6fc .... ....
> 0x0010: 9514 3a41 8003 c001 003a 3d40 6c69 6e6b
> 0x0020: 7072 6f6f 662e 7072 6f78 696d 6974 792e
> 0x0030: 6164 7661 6e63 6564 0000 0000 0000 0000
> 0x0040: 0000 0000 0000 0000 0000 0000 0000
>
> Following the UDP header is the character string
> "linkproof.proximity.advanced"
> which seems to be associated with a product by Radware.
Today there is definately not as many as last week, and I can't find any
that are actual DNS payload as I did before.
0000 00 30 48 56 3c 19 00 04 23 bd f7 da 08 00 45 00 .0HV<...#.....E.
0010 00 4e 2b 14 00 00 33 11 6b c7 55 0a 24 02 cc 10 .N+...3.k.U.$...
0020 ab a7 8a e8 c0 01 00 3a cb 5d 6c 69 6e 6b 70 72 .......:.]linkpr
0030 6f 6f 66 2e 70 72 6f 78 69 6d 69 74 79 2e 61 64 oof.proximity.ad
0040 76 61 6e 63 65 64 00 00 00 00 00 00 00 00 00 00 vanced..........
0050 00 00 00 00 00 00 00 00 00 00 00 00 ............
The one I just saw is the same as your snippet. Previously the ones I
witnessed (without keeping captures dang it) were actual spamhaus RBL
queries coming to a mirror here. I am only seeing onsey twoseys now whereas
last week I was seeing hundreds of thousands from lots of sources.
Sam
More information about the dns-operations
mailing list