DNS packet analysis.

From: larosa, vjay (larosa_vjay@emc.com)
Date: 12/11/02

  • Next message: Matthew L. McGuirl: "RE: Intrusion Prevention"
    From: "larosa, vjay" <larosa_vjay@emc.com>
    To: "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com>
    Date: Wed, 11 Dec 2002 15:37:40 -0500
    
    

    Hello,

    These packets were caught using a shadow IDS sensor. I was hoping that
    somebody
    in the list could help me understand what is happening below. I am familiar
    with snort
    and tcpdump, as well as the concept of packet fragmentation. I am mostly
    interested in
    finding out about the DNS requests being made, and why they come back
    fragmented.

    TIA.

    vjl

    12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162
    [1au][|domain] (DF)
    12:15:24.152128 DNS.server.com.33795 > outside.guy.com.domain: 46806
    [1au][|domain] (DF)
    12:15:24.157454 DNS.server.com.33795 > outside.guy.com.domain: 9239
    [1au][|domain] (DF)
    12:15:24.158551 DNS.server.com.33795 > outside.guy.com.domain: 46805
    [1au][|domain] (DF)
    12:15:24.159592 DNS.server.com.33795 > outside.guy.com.domain: 50353
    [1au][|domain] (DF)
    12:15:24.160626 DNS.server.com.33795 > outside.guy.com.domain: 17807
    [1au][|domain] (DF)
    12:15:24.161826 DNS.server.com.33795 > outside.guy.com.domain: 19219
    [1au][|domain] (DF)
    12:15:24.163753 DNS.server.com.33795 > outside.guy.com.domain: 59633
    [1au][|domain] (DF)
    12:15:24.164545 DNS.server.com.33795 > outside.guy.com.domain: 18273
    [1au][|domain] (DF)
    12:15:24.165679 DNS.server.com.33795 > outside.guy.com.domain: 48440
    [1au][|domain] (DF)
    12:15:24.166673 DNS.server.com.33795 > outside.guy.com.domain: 61217
    [1au][|domain] (DF)
    12:15:24.167800 DNS.server.com.33795 > outside.guy.com.domain: 29311
    [1au][|domain] (DF)
    12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:
    56162[|domain] (frag 48818:1480@0+)
    12:15:24.171040 outside.guy.com > DNS.server.com: (frag 48818:575@1480)
    12:15:24.295598 outside.guy.com.domain > DNS.server.com.33795:
    46806[|domain] (frag 48819:1480@0+)
    12:15:24.295649 outside.guy.com > DNS.server.com: (frag 48819:575@1480)
    12:15:24.333422 outside.guy.com.domain > DNS.server.com.33795:
    9239[|domain] (frag 48820:1480@0+)
    12:15:24.333473 outside.guy.com > DNS.server.com: (frag 48820:575@1480)
    12:15:24.360503 outside.guy.com.domain > DNS.server.com.33795:
    46805[|domain] (frag 48821:1480@0+)
    12:15:24.360554 outside.guy.com > DNS.server.com: (frag 48821:575@1480)
    12:15:24.392889 outside.guy.com.domain > DNS.server.com.33795:
    50353[|domain] (frag 48822:1480@0+)
    12:15:24.392940 outside.guy.com > DNS.server.com: (frag 48822:575@1480)
    12:15:24.428942 outside.guy.com.domain > DNS.server.com.33795:
    17807[|domain] (frag 48823:1480@0+)
    12:15:24.428994 outside.guy.com > DNS.server.com: (frag 48823:575@1480)
    12:15:24.459730 outside.guy.com.domain > DNS.server.com.33795:
    19219[|domain] (frag 48824:1480@0+)
    12:15:24.459781 outside.guy.com > DNS.server.com: (frag 48824:575@1480)
    12:15:24.494179 outside.guy.com.domain > DNS.server.com.33795:
    59633[|domain] (frag 48825:1480@0+)
    12:15:24.494232 outside.guy.com > DNS.server.com: (frag 48825:575@1480)
    12:15:24.525783 outside.guy.com.domain > DNS.server.com.33795:
    18273[|domain] (frag 48826:1480@0+)
    12:15:24.525841 outside.guy.com > DNS.server.com: (frag 48826:575@1480)
    12:15:24.559128 outside.guy.com.domain > DNS.server.com.33795:
    48440[|domain] (frag 48827:1480@0+)
    12:15:24.559176 outside.guy.com > DNS.server.com: (frag 48827:575@1480)
    12:15:24.594751 outside.guy.com.domain > DNS.server.com.33795:
    61217[|domain] (frag 48828:1480@0+)
    12:15:24.594801 outside.guy.com > DNS.server.com: (frag 48828:575@1480)
    12:15:24.624849 outside.guy.com.domain > DNS.server.com.33795:
    29311[|domain] (frag 48829:1480@0+)
    12:15:24.624903 outside.guy.com > DNS.server.com: (frag 48829:575@1480)
    12:23:55.499215 DNS.server.com.33795 > outside.guy.com.domain: 4322
    [1au][|domain] (DF)
    12:23:55.641310 outside.guy.com.domain > DNS.server.com.33795:
    4322[|domain] (frag 48830:1480@0+)
    12:23:55.641364 outside.guy.com > DNS.server.com: (frag 48830:575@1480)
    12:26:55.978869 ns2.lss.emc.com.61962 > outside.guy.com.domain: 40970
    [1au][|domain] (DF)
    12:26:56.127074 outside.guy.com.domain > ns2.lss.emc.com.61962:
    40970[|domain] (frag 6266:1480@0+)
    12:26:56.127125 outside.guy.com > ns2.lss.emc.com: (frag 6266:575@1480)

    V.Jay LaRosa EMC Corporation
    Information Security 171 South Street
    (508)249-3355 office Hopkinton, MA 01748
    (508)498-5575 cell www.emc.com
    (888-799-9750 pager larosa_vjay@emc.com
    (508)497-8082 fax



    Relevant Pages

    • Re: DNS help
      ... > These packets were caught using a shadow IDS sensor. ... as well as the concept of packet fragmentation. ... > finding out about the DNS requests being made, and why they are coming back ...
      (Incidents)
    • DNS help
      ... These packets were caught using a shadow IDS sensor. ... as well as the concept of packet fragmentation. ... This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: how to expand router in dead spot of house?
      ... directly through a couple of outside walls in line with the router. ... Packet fragmentation is only useful for dealing with interference. ... idea is that smaller packets will have a higher probablity of arriving ...
      (alt.internet.wireless)