You may are probably right (regarding Denial Of Service attempt). It
might be useful if you can use the "Decode as" function to force
decoding as DNS (or at least IP).
However I have compared your trace with a valid DNS request that I have.
At offset 0x14 you have the value 0x4000 whereas my standard request has
the value 0x0000. These two bytes are the IP fragment offset field. What
this means, is that this packet is instructing you that the payload in
this IP packet should be "glued" on to the previous payload on this
connection contents at an offset of 0x4000 (16384) x 8 bytes (or 131072
bytes) after the first fragment. This would be unusual for a DNS request
(very big request indeed!!!)
Basically you have received a IP fragmentation attack. It may well be
causing your host to allocate more buffer space than it ought.
You may want to investigate and patch it appropriately.
Martin Visser, CISSP
Network and Security Consultant
Consulting & Integration
Technology Solutions Group - HP Services
410 Concord Road
Rhodes NSW 2138
Australia
Mobile: +61-411-254-513
Fax: +61-2-9022-1800
E-mail: martin.visser@xxxxxx
This email (including any attachments) is intended only for the use of
the individual or entity named above and may contain information that is
confidential, proprietary or privileged. If you are not the intended
recipient, please notify HP immediately by return email and then delete
the email, destroy any printed copy and do not disclose or use the
information in it.
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jim Gonzalez
Sent: Wednesday, 4 May 2005 8:10 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] DNS Malformed Packet
Hello,
I used ethereal to diagnose a problem with my network this
morning but I can not find a resolution. I think this was some type of
DOS. I did have some packet loss to my core router. Can someone explain
this occurrence and possibility direct me to some more information. here
is the captured packet. Info on the is Unknown operation (6) [Malformed
Packet]
0000 00 0f 1f 70 02 6c 00 e0 52 e9 02 00 08 00 45 00 ...p.l..
R.....E.
0010 00 2b 2c fd 40 00 37 11 4f 47 45 09 a6 22 40 b1 .+,.@.7.
OGE.."@.
0020 9b a1 81 8e 00 35 00 17 e7 ed 30 31 32 33 34 35 .....5..
..012345
0030 36 37 38 39 41 42 43 44 45 00 00 00 6789ABCD E...
Thanks
Jim Gonzalez
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users