Ethereal-users: RE: [Ethereal-users] DNS Malformed Packet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Visser, Martin" <martin.visser@xxxxxx>
Date: Wed, 4 May 2005 15:18:51 +1000
 
You may are probably right (regarding Denial Of Service attempt). It
might be useful if you can use the "Decode as" function to force
decoding as DNS (or at least IP).

However I have compared your trace with a valid DNS request that I have.
At offset 0x14 you have the value 0x4000 whereas my standard request has
the value 0x0000. These two bytes are the IP fragment offset field. What
this means, is that this packet is instructing you that the payload in
this IP packet should be "glued" on to the previous payload on this
connection contents at an offset of 0x4000 (16384) x 8 bytes (or 131072
bytes) after the first fragment. This would be unusual for a DNS request
(very big request indeed!!!)

Basically you have received a IP fragmentation attack. It may well be
causing your host to allocate more buffer space than it ought. 

You may want to investigate and patch it appropriately. 
   


  

Martin Visser, CISSP
Network and Security Consultant 
Consulting & Integration
Technology Solutions Group - HP Services

410 Concord Road
Rhodes NSW  2138
Australia 

Mobile: +61-411-254-513
Fax: +61-2-9022-1800     
E-mail: martin.visser@xxxxxx

This email (including any attachments) is intended only for the use of
the individual or entity named above and may contain information that is
confidential, proprietary or privileged. If you are not the intended
recipient, please notify HP immediately by return email and then delete
the email, destroy any printed copy and do not disclose or use the
information in it.


-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jim Gonzalez
Sent: Wednesday, 4 May 2005 8:10 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] DNS Malformed Packet

Hello,
        I used ethereal to diagnose a problem with my network this
morning but I can not find a resolution. I think this was some type of
DOS. I did have some packet loss to my core router. Can someone explain
this occurrence and possibility direct me to some more information. here
is the captured packet. Info on the is Unknown operation (6) [Malformed
Packet]


0000  00 0f 1f 70 02 6c 00 e0  52 e9 02 00 08 00 45 00   ...p.l..
R.....E.
0010  00 2b 2c fd 40 00 37 11  4f 47 45 09 a6 22 40 b1   .+,[email protected].
OGE.."@.
0020  9b a1 81 8e 00 35 00 17  e7 ed 30 31 32 33 34 35   .....5..
..012345
0030  36 37 38 39 41 42 43 44  45 00 00 00               6789ABCD E...


Thanks
Jim Gonzalez






_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users