(Fwd) Re: more malformed DNS queries

["Bill Scherr IV, GSEC, GCIA" <bschnzl () cotse net>]

AYup...  

   It started circa 26 Sept...   Any ideas?

B.

------- Forwarded message follows -------
Date sent:              Tue, 14 Oct 2003 08:48:40 -0400
From:                   George Bakos <gbakos () ists dartmouth edu>
To:                     {snipped}
Copies to:              intrusions () incidents org
Subject:                Re: more malformed DNS queries
Organization:           Dartmouth College - ISTS

{more snip}

This appears to be part of a fairly sophisticated dns fingerprinting
effort that we are currently investigating. 

Could you, and anyone else that is seeing this traffic, possibly provide
packet logs and/or binary captures? 

A tcpdump filter that has been 100% effective, thus far, is:

dst port 53 and (udp[8] = 1 and (udp[12:2] > 1000 or udp[14:2] > 1000 
or udp[16:2] > 1000 or udp[18:2] > 1000 or udp[10:4] = 0))

Thanks!

g

On Mon, 13 Oct 2003 22:05:46 -0400
Tyler <tyler () hudakville com> wrote:

> Today I saw a laptop on my VPN sending a large amount of
> malformed DNS requests to seemingly random destination 
addresses.

{another snip}

-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu

------- End of forwarded message -------

Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT  05663
802-485-1962
Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT  05663
802-485-1962

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html