[Full-Disclosure] (Fwd) Re: more malformed DNS queries
Bill Scherr IV, GSEC, GCIA
bschnzl at cotse.net
Thu Oct 16 00:38:27 BST 2003
AYup...
It started circa 26 Sept... Any ideas?
B.
------- Forwarded message follows -------
Date sent: Tue, 14 Oct 2003 08:48:40 -0400
From: George Bakos <gbakos at ists.dartmouth.edu>
To: {snipped}
Copies to: intrusions at incidents.org
Subject: Re: more malformed DNS queries
Organization: Dartmouth College - ISTS
{more snip}
This appears to be part of a fairly sophisticated dns fingerprinting
effort that we are currently investigating.
Could you, and anyone else that is seeing this traffic, possibly provide
packet logs and/or binary captures?
A tcpdump filter that has been 100% effective, thus far, is:
dst port 53 and (udp[8] = 1 and (udp[12:2] > 1000 or udp[14:2] > 1000
or udp[16:2] > 1000 or udp[18:2] > 1000 or udp[10:4] = 0))
Thanks!
g
On Mon, 13 Oct 2003 22:05:46 -0400
Tyler <tyler at hudakville.com> wrote:
> Today I saw a laptop on my VPN sending a large amount of
> malformed DNS requests to seemingly random destination
addresses.
{another snip}
--
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos at ists.dartmouth.edu
------- End of forwarded message -------
Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT 05663
802-485-1962
Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT 05663
802-485-1962
Full-Disclosure is hosted and sponsored by Secunia.