On Tue, Oct 15, 2013 at 03:58:10AM +0000, Dobbins, Roland wrote: > What we have noticed however is all the attack traffic regardless of > the source, distention, targeted URL or query has a common pattern > matching signature of \50\fa\00\08\00\01\20 common to every packet > generated from this substantial botnet which is frequently published > on this amplification attack > webpage. http://dnsamplificationattacks.blogspot.com.au/
We don't know where the magic string "\50\fa\00\08\00\01\20" appears in the packet. I could not quickly find it at the URL above. This sequence may not have a bad origin. It could be the EDNS0 client-subnet extension: 50 fa 00 08 00 01 20 SN aa bb cc dd ^^^^^ ^^^^^ ^^^^^ ^^ ^^ ^^^^^^^^^^^ | | | | | `------ client IPv4 address | | | | `-------------- scope netmask | | | `----------------- source netmask (0x20 = 32 bits) | | `--------------------- address family (0x0001 = IPv4) | `--------------------------- option length `----------------------- old EDNS0 option code for client subnet The option code 50fa has been changed now to 8 in <http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02>, but you can see this code in older patches to dig: <http://wilmer.gaa.st/edns-client-subnet/bind-9.7.1-dig-edns-client-subnet.diff> But we don't know for sure where in the packet this string came from. :) Mukund
pgpJ8OB6_lnMW.pgp
Description: PGP signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
