DNS BIND traffic capture ICMP/UDP

Daniel Dawalibi daniel.dawalibi at idm.net.lb
Fri Jan 15 13:48:56 UTC 2016



We observed an unusual traffic combining ICMP and UDP packets while running
the tcpdump command on the DNS caching server 

Kindly note that only UDP DNS traffic is allowed on this server (ICMP is not
allowed from outside to DNS server)

Any help regarding this issue? Why we are getting ICMP and UDP requests?
Could it be an attack?





# tcpdump -n icmp


15:41:05.054237 IP > DNSIP: ICMP udp port 52003
unreachable, length 52

15:41:05.064449 IP > DNSIP: ICMP udp port 50162
unreachable, length 52

15:41:05.067953 IP > DNSIP: ICMP udp port 50233
unreachable, length 52

15:41:05.067958 IP > DNSIP: ICMP udp port 53847
unreachable, length 52

15:41:05.072727 IP > DNSIP: ICMP udp port 51024
unreachable, length 52


Example: (client source IP)





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160115/ec7da012/attachment.html>

More information about the bind-users mailing list