DNS BIND traffic capture ICMP/UDP
Daniel Dawalibi
daniel.dawalibi at idm.net.lb
Fri Jan 15 13:48:56 UTC 2016
Hello
We observed an unusual traffic combining ICMP and UDP packets while running
the tcpdump command on the DNS caching server
Kindly note that only UDP DNS traffic is allowed on this server (ICMP is not
allowed from outside to DNS server)
Any help regarding this issue? Why we are getting ICMP and UDP requests?
Could it be an attack?
Logs:
# tcpdump -n icmp
15:41:05.054237 IP 10.151.130.74 > DNSIP: ICMP 10.151.130.74 udp port 52003
unreachable, length 52
15:41:05.064449 IP 10.75.6.36 > DNSIP: ICMP 10.75.6.36 udp port 50162
unreachable, length 52
15:41:05.067953 IP 10.33.10.155 > DNSIP: ICMP 10.33.10.155 udp port 50233
unreachable, length 52
15:41:05.067958 IP 10.75.15.162 > DNSIP: ICMP 10.75.15.162 udp port 53847
unreachable, length 52
15:41:05.072727 IP 10.33.12.219 > DNSIP: ICMP 10.33.12.219 udp port 51024
unreachable, length 52
..
Example: 10.151.130.74 (client source IP)
DNSIP: DNSServer IP
Regards
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160115/ec7da012/attachment.html>
More information about the bind-users
mailing list