[dns-operations] "NS .", the attack of the month?
Geoffrey Sisson
geoff at geoff.co.uk
Thu Jan 29 23:36:48 UTC 2009
geoff at geoff.co.uk (Geoffrey Sisson) wrote:
> This tcpdump expression seems to be effective for capturing the current
> isprime attack activity, since the offsets don't change:
>
> tcpdump -n -s 0 -w isprime.raw '
> udp dst port 53 and
> (udp[10] & 0x80 = 0) and
> udp[12] = 0 and
> udp[13] = 1 and
> udp[20] = 0 and
> udp[21] = 0 and
> udp[22] = 2 and
> udp[23] = 0 and
> udp[24] = 1
> '
Ray reminded me this could be cleaned up as follows:
tcpdump -n -s 0 -w isprime.raw '
udp dst port 53 and
(udp[10:2] & 0x8000 = 0) and
udp[12:2] = 1 and
udp[20] = 0 and
udp[21:2] = 2 and
udp[23:2] = 1
'
So:
(udp[10:2] & 0x8000 = 0) # QR = 1
udp[12:2] = 1 # QDCOUNT = 1
udp[20] = 0 # QNAME = '.'
udp[21:2] = 2 # QTYPE = NS
udp[23:2] = 1 # QCLASS = IN
(Thanks, Ray!)
More information about the dns-operations
mailing list