HELP! DNS Attack
John Coutts
administrator at yellowhead.com
Sat Oct 9 20:19:58 UTC 1999
Our DNS server has started shutting down 2 to 3 times a week in the past few
weeks. Not the whole server, just port 53. Nothing gets logged except the fact
that a socket vector had to be reset. Using a Network Monitor, I was able to
capture the packets sent and received just prior to 2 of the failures, and they
are remarkably similar. Stripping off the IP and TCP header info, this is what
they look like.
------------------------------ Case 1 --------------------------------
69 D0 01 00 00 01 00 00 00 00 | first
00 00 10 61 6C 62 65 72 74 61 64 69 72 65 63 74 | fragment
Ack from server
00 00 00 00 00 00 second fragment
56 D8 65 3B BF AB third fragment
27 91 48 3C D5 17 fourth fragment
Ack from server
------------------------------ Case 2 --------------------------------
48 1C 01 00 00 01 00 00 00 00 | first
00 00 10 61 6C 62 65 72 74 61 64 69 72 65 63 74 | fragment
Ack from server
00 00 00 00 00 00 second fragment
0D 0A 4D 4A 5E 4B third fragment
2A 35 53 4F 43 25 fourth fragment
Ack from server
----------------------------------------------------------------------
These are not normal DNS queries, as they are TCP and not UDP packets. They
came from completely different parts of the world, and if anyone has any idea
how a DNS would repond to such a request, I would be very grateful for the
feedback. We are using Windows NT and MetaInfo for DNS Server.
J.A. Coutts
Systems Engineer
Edsonet/TravPro
More information about the bind-users
mailing list