On Mon, 1 Apr 2013 21:06:27 -0400 (EDT) Jon Lewis <[email protected]> wrote:
> I was watching the DNS query stream hitting a few rbldnsd servers > recently and noticed a small % of systems sending queries padded with > hundreds of nulls at the end of the packet. 540 is a common total > packet size (512 byte query + 28 bytes IP/UDP header). 551/523 is I remember seeing this at Ultra. It was always for BL stuff. I don't remember if it was one specific BL or not, but I remember thinking it odd. I didn't look into it, but I noticed it during DDoS attacks when we were getting floods of garbage to UDP dest port 53, much of the attack traffic being large messages, which are generally unexpected for queries arriving at auth servers. I noticed if we were to filter on large messages we would have dropped a small number of those legit ones. I never bothered to get to the bottom of it, but I'm still curious. Since it has been going on for years, presuming we're talking about the same thing, which I'm confident we are, I wonder if there is some specific custom code that is generating this stuff. Is it for a particular BL, BL user maybe? What else is in common? Any particular source network, node type? Maybe there is just some common code doing the look ups and it happens to pad the message with null bytes? John _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
