Robert Schwartz <[email protected]> wrote: > > The other interesting thing I noticed about the attack packets, is that > the source port and transaction ID are transposed. This could be used to > finger print the abusive packets. Here's a few lines from our TinyDNS > log (domain names removed and time-codes converted to a reader friendly > format): > > 2012-09-11 04:19:56.006172500 7115dd15:1ca3:a31c + 00ff > 2012-09-11 04:19:56.010172500 7115dd15:b571:71b5 + 00ff > 2012-09-11 04:19:56.014172500 7115dd15:9cd1:d19c + 00ff > 2012-09-11 04:19:56.026172500 7115dd15:538a:8a53 + 00ff > 2012-09-11 04:19:56.026172500 7115dd15:6fa5:a56f + 00ff > 2012-09-11 04:19:56.042173500 7115dd15:40ac:ac40 + 00ff > 2012-09-11 04:19:56.066173500 7115dd15:6fa5:a56f + 00ff > 2012-09-11 04:19:56.066173500 7115dd15:6e38:386e + 00ff > 2012-09-11 04:19:56.074173500 7115dd15:9729:2997 + 00ff > 2012-09-11 04:19:56.082173500 7115dd15:c6df:dfc6 + 00ff > > The three sets of hex separated by colons represent Source IP:Source > Port:Transaction ID > (tinydns log file format is explained here: > http://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html ) > > Looking at the last line for example shows: source port: c6df and its inverse > ID: dfc6 > > Anyone else seeing this behaviour in their logs?
Interesting! I have taught BIND to log query ports and IDs in hex and I'll see if I spot anything like this. (But the only dodgy traffic I have seen so far on my toy name server is queries from spam bots...) https://github.com/fanf2/bind-9/commit/8295e34907e8e06c65f0eae3d7d6d558b640f2cf Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
