Re: Malformed DNS or something odd (or just me)

From: Paul Daniel (paul_at_pdaniel.co.uk)
Date: 11/10/04

  • Next message: Chip Mefford: "Re: Malformed DNS or something odd (or just me)" 
    Date: 10 Nov 2004 11:34:56 -0000
To: incidents@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <DBFEE2504DFED211AF4A0090271759D63621F6@INETSERVER>

    >Subject: Malformed DNS or something odd (or just me)
    >Date: Wed, 7 Apr 2004 14:44:59 +0100
    >
    >
    >Hi list,
    >
    >Over the last week or so I have seen what looks (to my untrained eye)
    >like some kind of funky, malicious or malformed DNS traffic turning up
    >at my network borders.
    >
    >I'd appreciate any light that anyone can shed upon the matter,
    >largely to satisfy my morbid curiosity and craving for knowledge :-)
    >
    >It may be that this is entirely regular traffic, but it doesn't
    >look like the kind of traffic I usually see on UDP port 53 (and as for
    >the other ports...)
    >
    >Much of the action looks like this :
    >
    >
    >04/03-20:33:42.525759 62.253.119.103:41601 -> 192.168.0.88:53
    >UDP TTL:112 TOS:0x0 ID:53793 IpLen:20 DgmLen:40
    >Len: 12
    >01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&...
    >
    I've just started getting the same traffic after an IP address change. The UDP traffic goes to port 53 or 6716 and most of the traffic comes from port 53 (various IP addresses).
    A typical payload is:
    01 02 00 07 D1 86 3F C3 26 14 01 02 C3 1D 51 22 ......?.&.....Q"
    35 00 CA 14 14 81 35 00 5.....5.
    The first 11 bytes are fixed, and the 12th byte is the number of 'records' to follow where a record consists of 4 bytes followed by 35 00 (at least that's the way it looks to me).
    Since it only started after an IP change, I'm guessing that it is some form of P2P activity associated with a previous owner of the IP address.
    The traffic has always been blocked, so I'm not worried about having been compromised, but would like to be able to put a name to this activity.

    Thanks in advance for any suggestions
    Paul Daniel

  • Next message: Chip Mefford: "Re: Malformed DNS or something odd (or just me)"

    Relevant Pages

    • Encoding/characterset/font family confusion
      ... I could use a bit of guidance on the following matter. ... attention to special characters. ... Postgresql db encoding scheme: LATIN1 ...
      (comp.lang.php)
    • Re: add edi,0FFFFFFFFH
      ... If you feel that encoding the longest possible form ... when a shorter form would do the same thing is ... True it is a matter of opinion. ...
      (comp.lang.asm.x86)
    • Re: UTF-8 Characters showing up as Gobbledy-Gook
      ... send data in response to HTTP requests. ... and it does not matter how they interact with the ... encoding will result if the interface specification for the data provided ... to the server is honoured. ...
      (comp.infosystems.www.authoring.html)
    • Re: Character encoding between Win and *nix
      ... > I do not have control over the client, as a matter of fact I don't even ... > know for sure if it is a Windows client. ... > information about the encoding. ... If no encoding specification is available ...
      (comp.lang.java.programmer)
    • Re: Translating foreign text into html code - help
      ... > and it inserts a meta tag that says that the encoding is window-1252. ... > This might not be optimal, but it's surely better, as a matter of ... If you insist on e-mailing me, use the reply-to address (it's real but ...
      (comp.infosystems.www.authoring.html)