[dns-operations] Null padding query packets

John Kristoff jtk at cymru.com
Tue Apr 2 23:30:26 UTC 2013


On Mon, 1 Apr 2013 21:06:27 -0400 (EDT)
Jon Lewis <jlewis at lewis.org> wrote:

> I was watching the DNS query stream hitting a few rbldnsd servers
> recently and noticed a small % of systems sending queries padded with
> hundreds of nulls at the end of the packet.  540 is a common total
> packet size (512 byte query + 28 bytes IP/UDP header).  551/523 is

I remember seeing this at Ultra.  It was always for BL stuff.  I don't
remember if it was one specific BL or not, but I remember thinking it
odd.  I didn't look into it, but I noticed it during DDoS attacks
when we were getting floods of garbage to UDP dest port 53, much of the
attack traffic being large messages, which are generally unexpected
for queries arriving at auth servers.  I noticed if we were to filter
on large messages we would have dropped a small number of those legit
ones.

I never bothered to get to the bottom of it, but I'm still curious.
Since it has been going on for years, presuming we're talking about the
same thing, which I'm confident we are, I wonder if there is some
specific custom code that is generating this stuff.  Is it for a
particular BL, BL user maybe?  What else is in common?  Any particular
source network, node type?  Maybe there is just some common code doing
the look ups and it happens to pad the message with null bytes?

John



More information about the dns-operations mailing list