[dns-operations] Null padding query packets
Jon Lewis
jlewis at lewis.org
Tue Apr 2 02:47:20 UTC 2013
On Tue, 2 Apr 2013, Dobbins, Roland wrote:
>
> On Apr 2, 2013, at 8:30 AM, Jon Lewis wrote:
>
>> They look legitimate and too small in number to be any sort of DoS if that's what you're getting at.
>
> I was just wondering if it seems likely that they're synthetically
> generated for some purpose (not necessarily DDoS), or if they appear to
> be legitimate queries, as far as can be determined. It sounds as if the
> latter is the case . . .
Some do fail to be answered. i.e.
20:56:59.948499 IP (tos 0x0, ttl 115, id 12394, offset 0, flags [none],
proto: UDP (17), length: 540) 50.76.25.65.5455 > 69.28.95.83.53: [udp sum
ok] 17648 [b2&3=0x200] A? 125.237.120.64.dnsbl.njabl.org. (512)
0x0000: 4500 021c 306a 0000 7311 256b 324c 1941 E...0j..s.%k2L.A
0x0010: 451c 5f53 154f 0035 0208 81e5 44f0 0200 E._S.O.5....D...
0x0020: 0001 0000 0000 0000 0331 3235 0332 3337 .........125.237
0x0030: 0331 3230 0236 3405 646e 7362 6c05 6e6a .120.64.dnsbl.nj
0x0040: 6162 6c03 6f72 6700 0001 0001 0000 0000 abl.org.........
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x01f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0210: 0000 0000 0000 0000 0000 0000 ............
20:56:59.948521 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 76) 69.28.95.83.53 > 50.76.25.65.5455: [udp sum ok]
17648 NotImp- q: A? 125.237.120.64.dnsbl.njabl.org. 0/0/0 (48)
0x0000: 4500 004c 0000 4000 4011 4aa5 451c 5f53 E..L.. at .@.J.E._S
0x0010: 324c 1941 0035 154f 0038 0781 44f0 8004 2L.A.5.O.8..D...
0x0020: 0001 0000 0000 0000 0331 3235 0332 3337 .........125.237
0x0030: 0331 3230 0236 3405 646e 7362 6c05 6e6a .120.64.dnsbl.nj
0x0040: 6162 6c03 6f72 6700 0001 0001 abl.org.....
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the dns-operations
mailing list