Ethereal-users: [Ethereal-users] Re: DNS Malformed Packet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Wed, 4 May 2005 02:11:35 -0400
No,  the fragment offset is correct.
The top 3 bits of this 16 bit field are flags.

His packet has  DontFragment bit set  and offset:0

Your packet also has offset:0  but not the DontFragment bit.


it looks like a denial of service attack   


On 5/4/05, Visser, Martin <martin.visser@xxxxxx> wrote:
>  
> You may are probably right (regarding Denial Of Service attempt). It
> might be useful if you can use the "Decode as" function to force
> decoding as DNS (or at least IP).
> 
> However I have compared your trace with a valid DNS request that I have.
> At offset 0x14 you have the value 0x4000 whereas my standard request has
> the value 0x0000. These two bytes are the IP fragment offset field. What
> this means, is that this packet is instructing you that the payload in
> this IP packet should be "glued" on to the previous payload on this
> connection contents at an offset of 0x4000 (16384) x 8 bytes (or 131072
> bytes) after the first fragment. This would be unusual for a DNS request
> (very big request indeed!!!)
> 
> Basically you have received a IP fragmentation attack. It may well be
> causing your host to allocate more buffer space than it ought. 
> 
> You may want to investigate and patch it appropriately. 
>    
> 
> 
>   
> 
> Martin Visser, CISSP
> Network and Security Consultant 
> Consulting & Integration
> Technology Solutions Group - HP Services
> 
> 410 Concord Road
> Rhodes NSW  2138
> Australia 
> 
> Mobile: +61-411-254-513
> Fax: +61-2-9022-1800     
> E-mail: martin.visser@xxxxxx
> 
> This email (including any attachments) is intended only for the use of
> the individual or entity named above and may contain information that is
> confidential, proprietary or privileged. If you are not the intended
> recipient, please notify HP immediately by return email and then delete
> the email, destroy any printed copy and do not disclose or use the
> information in it.
> 
> 
> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jim Gonzalez
> Sent: Wednesday, 4 May 2005 8:10 AM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] DNS Malformed Packet
> 
> Hello,
>         I used ethereal to diagnose a problem with my network this
> morning but I can not find a resolution. I think this was some type of
> DOS. I did have some packet loss to my core router. Can someone explain
> this occurrence and possibility direct me to some more information. here
> is the captured packet. Info on the is Unknown operation (6) [Malformed
> Packet]
> 
> 
> 0000  00 0f 1f 70 02 6c 00 e0  52 e9 02 00 08 00 45 00   ...p.l..
> R.....E.
> 0010  00 2b 2c fd 40 00 37 11  4f 47 45 09 a6 22 40 b1   .+,.@.7.
> OGE.."@.
> 0020  9b a1 81 8e 00 35 00 17  e7 ed 30 31 32 33 34 35   .....5..
> ..012345
> 0030  36 37 38 39 41 42 43 44  45 00 00 00               6789ABCD E...
> 
> 
> Thanks
> Jim Gonzalez
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>