[dns-operations] DNS ANY record queries - Reflection Attacks
Tony Finch
dot at dotat.at
Tue Sep 11 16:32:04 UTC 2012
Robert Schwartz <smellyspice at gmail.com> wrote:
>
> The other interesting thing I noticed about the attack packets, is that
> the source port and transaction ID are transposed. This could be used to
> finger print the abusive packets. Here's a few lines from our TinyDNS
> log (domain names removed and time-codes converted to a reader friendly
> format):
>
> 2012-09-11 04:19:56.006172500 7115dd15:1ca3:a31c + 00ff
> 2012-09-11 04:19:56.010172500 7115dd15:b571:71b5 + 00ff
> 2012-09-11 04:19:56.014172500 7115dd15:9cd1:d19c + 00ff
> 2012-09-11 04:19:56.026172500 7115dd15:538a:8a53 + 00ff
> 2012-09-11 04:19:56.026172500 7115dd15:6fa5:a56f + 00ff
> 2012-09-11 04:19:56.042173500 7115dd15:40ac:ac40 + 00ff
> 2012-09-11 04:19:56.066173500 7115dd15:6fa5:a56f + 00ff
> 2012-09-11 04:19:56.066173500 7115dd15:6e38:386e + 00ff
> 2012-09-11 04:19:56.074173500 7115dd15:9729:2997 + 00ff
> 2012-09-11 04:19:56.082173500 7115dd15:c6df:dfc6 + 00ff
>
> The three sets of hex separated by colons represent Source IP:Source Port:Transaction ID
> (tinydns log file format is explained here:
> http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html )
>
> Looking at the last line for example shows: source port: c6df and its inverse ID: dfc6
>
> Anyone else seeing this behaviour in their logs?
Interesting! I have taught BIND to log query ports and IDs in hex and I'll
see if I spot anything like this. (But the only dodgy traffic I have seen
so far on my toy name server is queries from spam bots...)
https://github.com/fanf2/bind-9/commit/8295e34907e8e06c65f0eae3d7d6d558b640f2cf
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the dns-operations
mailing list