Re: Malformed DNS or something odd (or just me)
From: Paul Daniel (paul_at_pdaniel.co.uk)
Date: 10 Nov 2004 11:34:56 -0000 To: email@example.com('binary' encoding is not supported, stored as-is) In-Reply-To: <DBFEE2504DFED211AF4A0090271759D63621F6@INETSERVER>
>Subject: Malformed DNS or something odd (or just me)
>Date: Wed, 7 Apr 2004 14:44:59 +0100
>Over the last week or so I have seen what looks (to my untrained eye)
>like some kind of funky, malicious or malformed DNS traffic turning up
>at my network borders.
>I'd appreciate any light that anyone can shed upon the matter,
>largely to satisfy my morbid curiosity and craving for knowledge :-)
>It may be that this is entirely regular traffic, but it doesn't
>look like the kind of traffic I usually see on UDP port 53 (and as for
>the other ports...)
>Much of the action looks like this :
>04/03-20:33:42.525759 22.214.171.124:41601 -> 192.168.0.88:53
>UDP TTL:112 TOS:0x0 ID:53793 IpLen:20 DgmLen:40
>01 02 00 07 D1 86 3F C3 26 14 01 00 ......?.&...
I've just started getting the same traffic after an IP address change. The UDP traffic goes to port 53 or 6716 and most of the traffic comes from port 53 (various IP addresses).
A typical payload is:
01 02 00 07 D1 86 3F C3 26 14 01 02 C3 1D 51 22 ......?.&.....Q"
35 00 CA 14 14 81 35 00 5.....5.
The first 11 bytes are fixed, and the 12th byte is the number of 'records' to follow where a record consists of 4 bytes followed by 35 00 (at least that's the way it looks to me).
Since it only started after an IP change, I'm guessing that it is some form of P2P activity associated with a previous owner of the IP address.
The traffic has always been blocked, so I'm not worried about having been compromised, but would like to be able to put a name to this activity.
Thanks in advance for any suggestions