HELP! DNS Attack

Sam Wilson Sam.Wilson at ed.ac.uk
Mon Oct 11 09:27:56 UTC 1999


In article <OrNL3.6161$G6.580527 at news0.telusplanet.net>,
administrator at yellowhead.com (John Coutts) wrote:

>Our DNS server has started shutting down 2 to 3 times a week in the past few 
>weeks. Not the whole server, just port 53. Nothing gets logged except the fact 
>that a socket vector had to be reset. Using a Network Monitor, I was able to 
>capture the packets sent and received just prior to 2 of the failures,
and they 
>are remarkably similar. Stripping off the IP and TCP header info, this is what 
>they look like.
>------------------------------ Case 1 --------------------------------
>                  69 D0 01 00 00 01 00 00 00 00 | first
>00 00 10 61 6C 62 65 72 74 61 64 69 72 65 63 74 |   fragment
>Ack from server
>                  00 00 00 00 00 00               second fragment
>                  56 D8 65 3B BF AB               third fragment
>                  27 91 48 3C D5 17               fourth fragment
>Ack from server
>------------------------------ Case 2 --------------------------------
>                  48 1C 01 00 00 01 00 00 00 00 | first
>00 00 10 61 6C 62 65 72 74 61 64 69 72 65 63 74 |   fragment
>Ack from server
>                  00 00 00 00 00 00               second fragment
>                  0D 0A 4D 4A 5E 4B               third fragment
>                  2A 35 53 4F 43 25               fourth fragment
>Ack from server
>----------------------------------------------------------------------
>These are not normal DNS queries, as they are TCP and not UDP packets. They 
>came from completely different parts of the world, and if anyone has any idea 
>how a DNS would repond to such a request, I would be very grateful for the 
>feedback. We are using Windows NT and MetaInfo for DNS Server.

The data in the first fragment looks like a normal DNS query for a name
beginning 'albertadirect' but with three more characters in the first
label. Without knowing what the offsets of the other fragments are it's
difficult to piece the rest of the stuff together but they don't seem to
make much sense as either ASCII text or DNS data.  Could be a stack
overflow attack.

-- 
Sam Wilson
Network Services Division, Computing Services
The University of Edinburgh
Edinburgh, Scotland, UK


More information about the bind-users mailing list