On 11.09.2012 17:09, Robert Schwartz wrote:
The other interesting thing I noticed about the attack packets, is that the source port and transaction ID are transposed. This could be used to finger print the abusive packets. Here's a few lines from our TinyDNS log (domain names removed and time-codes converted to a reader friendly format): 2012-09-11 04:19:56.006172500 7115dd15:1ca3:a31c + 00ff 2012-09-11 04:19:56.010172500 7115dd15:b571:71b5 + 00ff 2012-09-11 04:19:56.014172500 7115dd15:9cd1:d19c + 00ff 2012-09-11 04:19:56.026172500 7115dd15:538a:8a53 + 00ff 2012-09-11 04:19:56.026172500 7115dd15:6fa5:a56f + 00ff 2012-09-11 04:19:56.042173500 7115dd15:40ac:ac40 + 00ff 2012-09-11 04:19:56.066173500 7115dd15:6fa5:a56f + 00ff 2012-09-11 04:19:56.066173500 7115dd15:6e38:386e + 00ff 2012-09-11 04:19:56.074173500 7115dd15:9729:2997 + 00ff 2012-09-11 04:19:56.082173500 7115dd15:c6df:dfc6 + 00ff The three sets of hex separated by colons represent Source IP:Source Port:Transaction ID (tinydns log file format is explained here: http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html ) Looking at the last line for example shows: source port: c6dfand its inverse ID: dfc6 Anyone else seeing this behaviour in their logs?
Nice observation - same here. Is there any software known for such a behavior?
regards Klaus _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
