[dns-operations] DNS ANY record queries - Reflection Attacks

Klaus Darilion klaus.mailinglists at pernau.at
Tue Sep 11 15:32:18 UTC 2012



On 11.09.2012 17:09, Robert Schwartz wrote:
> The other interesting thing I noticed about the attack packets, is that
> the source port and transaction ID are transposed. This could be used to
> finger print the abusive packets. Here's a few lines from our TinyDNS
> log (domain names removed and time-codes converted to a reader friendly
> format):
>
> 2012-09-11 04:19:56.006172500 7115dd15:1ca3:a31c + 00ff
> 2012-09-11 04:19:56.010172500 7115dd15:b571:71b5 + 00ff
> 2012-09-11 04:19:56.014172500 7115dd15:9cd1:d19c + 00ff
> 2012-09-11 04:19:56.026172500 7115dd15:538a:8a53 + 00ff
> 2012-09-11 04:19:56.026172500 7115dd15:6fa5:a56f + 00ff
> 2012-09-11 04:19:56.042173500 7115dd15:40ac:ac40 + 00ff
> 2012-09-11 04:19:56.066173500 7115dd15:6fa5:a56f + 00ff
> 2012-09-11 04:19:56.066173500 7115dd15:6e38:386e + 00ff
> 2012-09-11 04:19:56.074173500 7115dd15:9729:2997 + 00ff
> 2012-09-11 04:19:56.082173500 7115dd15:c6df:dfc6 + 00ff
>
> The three sets of hex separated by colons represent Source IP:Source
> Port:Transaction ID (tinydns log file format is explained here:
> http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html )
>
> Looking at the last line for example shows: source port: c6dfand its
> inverse ID: dfc6
>
> Anyone else seeing this behaviour in their logs?

Nice observation - same here. Is there any software known for such a 
behavior?

regards
Klaus



More information about the dns-operations mailing list