[dns-operations] Abnormal activity fron chinanet?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Apr 4 08:20:04 UTC 2012
On Fri, Dec 02, 2011 at 11:05:26AM -0600,
Chris Adams <cmadams at hiwaay.net> wrote
a message of 30 lines which said:
> FYI: here's a pcap filter that will match only UDP DNS ANY queries:
No, only if no EDNS is used in the query (and, in actual attacks, it
is sometimes used, to get a better amplification).
> udp and dst port 53 and udp[10]&0xf8=0 and udp[12:4]=65536 and udp[16:4]=0 and udp[udp[4:2]-3]=255
Counting from the end of the packet is a clever idea (to avoid parsing
the QNAME) but it fails if there is an additionnal record. I assume
this is why you test ARCOUNT=0 but it makes the filter too
restrictive.
More information about the dns-operations
mailing list