Ethereal-users: [Ethereal-users] Re: DNS Malformed Packet
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Wed, 4 May 2005 02:11:35 -0400
No, the fragment offset is correct. The top 3 bits of this 16 bit field are flags. His packet has DontFragment bit set and offset:0 Your packet also has offset:0 but not the DontFragment bit. it looks like a denial of service attack On 5/4/05, Visser, Martin <martin.visser@xxxxxx> wrote: > > You may are probably right (regarding Denial Of Service attempt). It > might be useful if you can use the "Decode as" function to force > decoding as DNS (or at least IP). > > However I have compared your trace with a valid DNS request that I have. > At offset 0x14 you have the value 0x4000 whereas my standard request has > the value 0x0000. These two bytes are the IP fragment offset field. What > this means, is that this packet is instructing you that the payload in > this IP packet should be "glued" on to the previous payload on this > connection contents at an offset of 0x4000 (16384) x 8 bytes (or 131072 > bytes) after the first fragment. This would be unusual for a DNS request > (very big request indeed!!!) > > Basically you have received a IP fragmentation attack. It may well be > causing your host to allocate more buffer space than it ought. > > You may want to investigate and patch it appropriately. > > > > > > Martin Visser, CISSP > Network and Security Consultant > Consulting & Integration > Technology Solutions Group - HP Services > > 410 Concord Road > Rhodes NSW 2138 > Australia > > Mobile: +61-411-254-513 > Fax: +61-2-9022-1800 > E-mail: martin.visser@xxxxxx > > This email (including any attachments) is intended only for the use of > the individual or entity named above and may contain information that is > confidential, proprietary or privileged. If you are not the intended > recipient, please notify HP immediately by return email and then delete > the email, destroy any printed copy and do not disclose or use the > information in it. > > > -----Original Message----- > From: ethereal-users-bounces@xxxxxxxxxxxx > [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jim Gonzalez > Sent: Wednesday, 4 May 2005 8:10 AM > To: ethereal-users@xxxxxxxxxxxx > Subject: [Ethereal-users] DNS Malformed Packet > > Hello, > I used ethereal to diagnose a problem with my network this > morning but I can not find a resolution. I think this was some type of > DOS. I did have some packet loss to my core router. Can someone explain > this occurrence and possibility direct me to some more information. here > is the captured packet. Info on the is Unknown operation (6) [Malformed > Packet] > > > 0000 00 0f 1f 70 02 6c 00 e0 52 e9 02 00 08 00 45 00 ...p.l.. > R.....E. > 0010 00 2b 2c fd 40 00 37 11 4f 47 45 09 a6 22 40 b1 .+,.@.7. > OGE.."@. > 0020 9b a1 81 8e 00 35 00 17 e7 ed 30 31 32 33 34 35 .....5.. > ..012345 > 0030 36 37 38 39 41 42 43 44 45 00 00 00 6789ABCD E... > > > Thanks > Jim Gonzalez > > > > > > > _______________________________________________ > Ethereal-users mailing list > Ethereal-users@xxxxxxxxxxxx > http://www.ethereal.com/mailman/listinfo/ethereal-users > > _______________________________________________ > Ethereal-users mailing list > Ethereal-users@xxxxxxxxxxxx > http://www.ethereal.com/mailman/listinfo/ethereal-users >
- References:
- RE: [Ethereal-users] DNS Malformed Packet
- From: Visser, Martin
- RE: [Ethereal-users] DNS Malformed Packet
- Prev by Date: RE: [Ethereal-users] DNS Malformed Packet
- Next by Date: RE: [Ethereal-users] Re: DNS Malformed Packet
- Previous by thread: RE: [Ethereal-users] DNS Malformed Packet
- Next by thread: [Ethereal-users] RFQ
- Index(es):