[dns-operations] Abnormal activity fron chinanet?

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Apr 4 08:20:04 UTC 2012

On Fri, Dec 02, 2011 at 11:05:26AM -0600,
 Chris Adams <cmadams at hiwaay.net> wrote 
 a message of 30 lines which said:

> FYI: here's a pcap filter that will match only UDP DNS ANY queries:

No, only if no EDNS is used in the query (and, in actual attacks, it
is sometimes used, to get a better amplification). 

> udp and dst port 53 and udp[10]&0xf8=0 and udp[12:4]=65536 and udp[16:4]=0 and udp[udp[4:2]-3]=255

Counting from the end of the packet is a clever idea (to avoid parsing
the QNAME) but it fails if there is an additionnal record. I assume
this is why you test ARCOUNT=0 but it makes the filter too

More information about the dns-operations mailing list