[q] curious packets

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Tue Apr 27 05:53:38 UTC 2004 

Hyo-Jeong Shin <shinhj at hana.ne.kr> wrote:

> Hello all,
> I captured some curious packets from our DNS servers with bind 8.2.7 on
> linux.
> Anybody knows why these packets are generated?

> [1] repeated ServFail =================================
> 16:02:57.053606 client.43312 > server.53: S 1054099647:1054099647(0) win
> 16384 <mss 1460,nop,nop,sackOK> (DF)
> 16:02:57.053639 server.53 > client.43312: S 2979146159:2979146159(0) ack
> 1054099648 win 5840 <mss 1460,nop,nop,sackOK> (DF)
> 16:02:57.086975 client.43312 > server.53: . ack 1 win 17520 (DF)
> 16:02:57.088947 client.43312 > server.53: P 1:37(36) ack 1 win 17520
> 7261+ MX? yourbusiness.com. (34) (DF)
> 16:02:57.088961 server.53 > client.43312: . ack 37 win 5840 (DF)
> 16:03:53.003632 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:03:56.002763 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:04:02.002729 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:04:14.002728 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:04:38.002728 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:05:26.002825 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:07:02.002781 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:09:02.002768 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:11:02.002764 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:13:02.002756 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:15:02.002740 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:17:02.002774 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:19:02.002742 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:21:02.002782 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:23:02.002750 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)
> 16:25:02.002754 server.53 > client.43312: P 1:37(36) ack 37 win 5840
> 7261 ServFail 0/0/0 (34) (DF)

> [2] repeated SYN =========================================================
> 12:58:44.276476 client.59163 > server.53: S 3109183:3109183(0) win 8192
> <mss 1452,nop,nop,sackO
> K> (DF)
> 12:58:44.276510 server.53 > client.59163: S 3599383948:3599383948(0) ack
> 3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
> 12:58:44.302861 client.59163 > server.53: R 3109184:3109184(0) win 0
> 12:58:48.407735 server.53 > client.59163: S 3599383948:3599383948(0) ack
> 3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
> 12:58:55.778830 server.53 > client.59163: S 3599383948:3599383948(0) ack
> 3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
> 12:59:07.931183 server.53 > client.59163: S 3599383948:3599383948(0) ack
> 3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
> 12:59:33.431181 server.53 > client.59163: S 3599383948:3599383948(0) ack
> 3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)
> 13:00:21.442892 server.53 > client.59163: S 3599383948:3599383948(0) ack
> 3109184 win 5840 <mss 1460,nop,nop,sackOK> (DF)

> -- 
> Hyo-jeong Shin
> Internet Networking Team
> KT Corporation, Technology Lab.
> 463-1 Jeonmin-dong, Yuseong-gu, Daejeon 305-811, KOREA
> Office:042-870-8194(or 0502-393-2228) Fax:042-870-8339

By some strange reason is your (broken)client asking with TCP,
and when not an answer is received after a minutem, the (still broken)
client goes frozen while the server continues retransmitting.

Your have two actions to take :

upgrade named ( 8.2.7 is very old )

replace client (it's broken)


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list