 |  |
I've gone a little further analyzing the packets from those two IPs below:
more info on: query attack?
From: Cameron Knowlton
Date: Friday, November 24, 2000
Time: 6:18:41 pm
207.67.172.150 (packet "#2" below)
207.67.168.40 (packet "#3" below)
here are the packet analyses for each:
(this is a bit above me right at the moment... off to the 'net I go)
-------------------------
Packet #2
Flags: 0x00
Status: 0x01
Packet Length:97
Timestamp: 19:03:03.666113 11/24/2000
Ethernet Header
Destination: 00:50:E4:90:2D:27
Source: 00:E0:39:80:1C:78
Protocol Type:0x0800 IP
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5 (20 bytes)
Precedence: 0
Type of Service: %0000
Unused: %0
Total Length: 79
Identifier: 56105
Fragmentation Flags: %000
Fragment Offset: 0 (0 bytes)
Time To Live: 50
IP Type: 0x11 UDP
Header Checksum: 0x0461
Source IP Address: 207.67.172.150
Dest. IP Address: 209.91.91.222
No Internet Datagram Options
UDP - User Datagram Protocol
Source Port: 65534
Destination Port: 53 Domain Name Server
Length: 59
Checksum: 0xEE0D
DNS - Domain Name System Protocol
Identification: 0x0514
Parameter: 0x0000
Request
Standard Query
Number of Questions: 1
Number of Answers: 0
Number of Authority: 0
Number of Additional: 0
Query Domain Name: 194.192-27.91.91.209.IN-ADDR.ARPA
Query Type: 12 Domain Name Pointer
Query Class: 1 Internet
Frame Check Sequence: 0x00000000
Packet #3
Flags: 0x00
Status: 0x01
Packet Length:97
Timestamp: 19:03:04.113734 11/24/2000
Ethernet Header
Destination: 00:50:E4:90:2D:27
Source: 00:E0:39:80:1C:78
Protocol Type:0x0800 IP
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5 (20 bytes)
Precedence: 0
Type of Service: %0000
Unused: %0
Total Length: 79
Identifier: 36989
Fragmentation Flags: %000
Fragment Offset: 0 (0 bytes)
Time To Live: 51
IP Type: 0x11 UDP
Header Checksum: 0x527B
Source IP Address: 207.67.168.40
Dest. IP Address: 209.91.91.222
No Internet Datagram Options
UDP - User Datagram Protocol
Source Port: 53668
Destination Port: 53 Domain Name Server
Length: 59
Checksum: 0xC510
DNS - Domain Name System Protocol
Identification: 0xC038
Parameter: 0x0000
Request
Standard Query
Number of Questions: 1
Number of Answers: 0
Number of Authority: 0
Number of Additional: 0
Query Domain Name: 194.192-27.91.91.209.in-addr.arpa
Query Type: 12 Domain Name Pointer
Query Class: 1 Internet
Frame Check Sequence: 0x00000000
>Our DNS server, 209.91.91.194, is getting hit about once a second by a request that looks pretty weird.
>
>A snippet of the detailed QuickDNS log shows:
>
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.172.150:65534"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.172.150:65534"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.172.150:65534"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.172.150:65534"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.172.150:65534"
>Query: "194.192-27.91.91.in-addr.arpa." - requested from "207.67.168.40:53668"
>
>Am I under attack? or does QuickDNS have the hiccups?
>
>I've spoken with the tech at 207.67.172.150 (uia.net), he's extremely high level, had been programming firewalls for years, and has never seen anything like this before. According to him, his system (207.67.172.150) is *NOT* the one generating the queries.
>
>Any thoughts? My mind's become oatmeal.
>
>Cameron Knowlton
>cameronk@macgods.com
Messages In This Thread:
Return to Digital Point Solutions' Home Page