We have been observing a steadily increasing rate of malformed DNS packets with predictable characteristics that do not exactly match any of the current discussions about malformed DNS packets. The packets are UDP and destined to port 53 from random high ports and from random sources to random hosts. We have seen at least three flavors of malformed DNS query packets with these characteristics:
Packet 1 (for lack of a better description)
Src: 81.41.208.187 dst: AAA.BBB.239.228 (non-existent host)
Src port: 53 dst port: 53
UDP
QR
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 53380
Number of answer records 16128
Number of Authority records 0
Number of Additional records 0
Packet 2
Src: 216.233.100.27 dst: AAA.BBB.234.206 (non-existent host)
Src port: 40385 dst port: 53
UDP
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 1155
Number of answer records 16128
Number of Authority records 0
Number of Additional records 0
Packet 3
Src: 66.227.160.128 dst: AAA.BBB.217.234 (non-existent host)
Src port: 53 dst port: 53
UDP
Opcode Standard query
AA Authoritative answer is False
TC Truncation is False
RD Recursion desired is False
RA Recursion available is True
Z 111
RCODE 1110
Number of question records 53380
Number of answer records 16166
Number of Authority records 8
Number of Additional records 5082
Question Records
Question Record 1 1110
Any ideas?
Faron
