Ethereal-users: RE: [Ethereal-users] Re: DNS Malformed Packet
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Visser, Martin" <martin.visser@xxxxxx>
Date: Wed, 4 May 2005 17:13:06 +1000
Yep, you're right. I was misled by Ethereal in that if you select the "Fragment offset" in the Packet Details window, of course it highlights the full 2 bytes in the Packet Bytes windows. Of course, I forgot to check that something else, the flags, uses the same byte range. But as you said certainly it looks like a DOS with a nonsense DNS query. I imagine that no DNS server though would react to such a packet Martin Visser, CISSP Network and Security Consultant Consulting & Integration Technology Solutions Group - HP Services 410 Concord Road Rhodes NSW 2138 Australia Mobile: +61-411-254-513 Fax: +61-2-9022-1800 E-mail: martin.visser@xxxxxx This email (including any attachments) is intended only for the use of the individual or entity named above and may contain information that is confidential, proprietary or privileged. If you are not the intended recipient, please notify HP immediately by return email and then delete the email, destroy any printed copy and do not disclose or use the information in it. -----Original Message----- From: ethereal-users-bounces@xxxxxxxxxxxx [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of ronnie sahlberg Sent: Wednesday, 4 May 2005 4:12 PM To: Ethereal user support Subject: [Ethereal-users] Re: DNS Malformed Packet No, the fragment offset is correct. The top 3 bits of this 16 bit field are flags. His packet has DontFragment bit set and offset:0 Your packet also has offset:0 but not the DontFragment bit. it looks like a denial of service attack On 5/4/05, Visser, Martin <martin.visser@xxxxxx> wrote: > > You may are probably right (regarding Denial Of Service attempt). It > might be useful if you can use the "Decode as" function to force > decoding as DNS (or at least IP). > > However I have compared your trace with a valid DNS request that I have. > At offset 0x14 you have the value 0x4000 whereas my standard request > has the value 0x0000. These two bytes are the IP fragment offset > field. What this means, is that this packet is instructing you that > the payload in this IP packet should be "glued" on to the previous > payload on this connection contents at an offset of 0x4000 (16384) x 8 > bytes (or 131072 > bytes) after the first fragment. This would be unusual for a DNS > request (very big request indeed!!!) > > Basically you have received a IP fragmentation attack. It may well be > causing your host to allocate more buffer space than it ought. > > You may want to investigate and patch it appropriately. > > > > > > Martin Visser, CISSP > Network and Security Consultant > Consulting & Integration > Technology Solutions Group - HP Services > > 410 Concord Road > Rhodes NSW 2138 > Australia > > Mobile: +61-411-254-513 > Fax: +61-2-9022-1800 > E-mail: martin.visser@xxxxxx > > This email (including any attachments) is intended only for the use of > the individual or entity named above and may contain information that > is confidential, proprietary or privileged. If you are not the > intended recipient, please notify HP immediately by return email and > then delete the email, destroy any printed copy and do not disclose or > use the information in it. > > > -----Original Message----- > From: ethereal-users-bounces@xxxxxxxxxxxx > [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jim Gonzalez > Sent: Wednesday, 4 May 2005 8:10 AM > To: ethereal-users@xxxxxxxxxxxx > Subject: [Ethereal-users] DNS Malformed Packet > > Hello, > I used ethereal to diagnose a problem with my network this > morning but I can not find a resolution. I think this was some type of > DOS. I did have some packet loss to my core router. Can someone > explain this occurrence and possibility direct me to some more > information. here is the captured packet. Info on the is Unknown > operation (6) [Malformed Packet] > > > 0000 00 0f 1f 70 02 6c 00 e0 52 e9 02 00 08 00 45 00 ...p.l.. > R.....E. > 0010 00 2b 2c fd 40 00 37 11 4f 47 45 09 a6 22 40 b1 .+,[email protected]. > OGE.."@. > 0020 9b a1 81 8e 00 35 00 17 e7 ed 30 31 32 33 34 35 .....5.. > ..012345 > 0030 36 37 38 39 41 42 43 44 45 00 00 00 6789ABCD E... > > > Thanks > Jim Gonzalez > > > > > > > _______________________________________________ > Ethereal-users mailing list > Ethereal-users@xxxxxxxxxxxx > http://www.ethereal.com/mailman/listinfo/ethereal-users > > _______________________________________________ > Ethereal-users mailing list > Ethereal-users@xxxxxxxxxxxx > http://www.ethereal.com/mailman/listinfo/ethereal-users > _______________________________________________ Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx http://www.ethereal.com/mailman/listinfo/ethereal-users
- Prev by Date: [Ethereal-users] Re: DNS Malformed Packet
- Next by Date: [Ethereal-users] Specifying interface at command line in windows
- Previous by thread: RE: [Ethereal-users] Export & Save
- Next by thread: [Ethereal-users] Specifying interface at command line in windows
- Index(es):