HELP! DNS Attack

John Coutts administrator at yellowhead.com
Wed Oct 13 14:16:47 UTC 1999 

After all is said and done, both queries look like legitimate DNS queries. This 
has been a real learning experience for me, and none of the short cuts I tried 
helped. I had to right back to the RFC's to understand these transmissions. It 
would appear that my DNS simply can't handle DNS queries by TCP. After 
analyzing these transmissions, I can't understand why anyone would use TCP 
instead of UDP for a DNS query. There is substantially more overhead.

------------------------------ Case 2 --------------------------------
      04 04 00 35 CE 38 9C B1 00 00 00 00 A0 02 | -----> SYN Req
7F 88 B5 09 00 00 02 04 05 CC 04 02 08 0A 00 07 | Seq=CE 38 9C B1
77 76 00 00 00 00 01 03 03 00                   | Ctl=SYN

      00 35 04 04 45 69 5B 5F CE 38 9C B2 60 12 | <----- Syn Ack
22 38 39 35 00 00                               | Seq=45 69 5B 5F
                                                | Ack=CE 38 9C B2 
                                                | Ctl=SYN, ACK

      04 04 00 35 CE 38 9C B2 45 69 5B 60 50 10 | -----> Syn Est
7F 88 F3 A1 00 00                               | Seq=CE 38 9C B2
                                                | Ack=45 69 5B 60
                                                | Ctl=ACK

      04 04 00 35 CE 38 9C B2 45 69 5B 60 50 18 | -----> Syn Est
7F 88 F3 6F 00 00 00 28                         | Seq=CE 38 9C B2
                                                | Ack=45 69 5B 60
                                                | Ctl=ACK, PSH
                                                | Data=00 28

      00 35 04 04 45 69 5B 60 CE 38 9C B4 50 10 | <----- Psh Ack
22 36 50 F2 00 00                               | Seq=45 69 5B 60
                                                | Ack=CE 38 9C B4
                                                | Ctl=ACK

      04 04 00 35 CE 38 9C B4 45 69 5B 60 50 18 | -----> Syn Est
7F 88 6B 40 00 00 48 1C 01 00 00 01 00 00 00 00 | Seq=CE 38 9C B4
00 00 10 61 6C 62 65 72 74 61 64 69 72 65 63 74 | Ack=45 69 5B 60
6F 72 79 03 63 6F 6D 00 00 01 00 01 ?? ??       | Ctl=ACK, PSH
                       | Data="albertadirectory.com" 00 01 00 01

      00 35 04 04 45 69 5B 60 CE 38 9C DC 50 11 | <----- Close Wait
22 0E 50 F1 00 00                               | Seq=45 69 5B 60
                                                | Ack=CE 38 9C DC
                                                | Ctl=ACK, FIN

      04 04 00 35 CE 38 9C DC 45 69 5B 61 50 10 | -----> Close Ack
7F 87 F3 77 00 00                               | Seq=CE 38 9C DC
                                                | Ack=45 69 5B 61
                                                | Ctl=ACK

      04 04 00 35 CE 38 9C DC 45 69 5B 61 50 11 | -----> Close Wait
7F 88 F3 75 00 00                               | Seq=CE 38 9C DC
                                                | Ack=45 69 5B 61
                                                | Ctl=ACK, FIN

      00 35 04 04 45 69 5B 61 CE 38 9C DD 50 10 | <----- Last Ack
22 0E 50 F0 00 00                               | Seq=45 69 5B 61
                                                | Ack=CE 38 9C DD
                                                | Ctl=ACK
----------------------------------------------------------------------
J.A. Coutts
Systems Engineer
Edsonet/TravPro

More information about the bind-users mailing list