hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Malformed Dns Request
GovernmentSecurity.org > System Security > Networking Security / Firewall / IDS / VPN / Routers
tikbalang
Dec 6 2004, 08:26 AM
any experience your client pc sending malformed dns request.

example: (output from tcpdump on the dns server)

17:28:07.955225 vvv.xxx.yyy.zzz.1608 > fw1.mydomain.com.domain: 26812+ A? scs.msg.yahoo.com.mydomain.com. (49)
17:28:07.955466 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1608: 26812 NXDomain*- 0/1/0 (100)
17:28:08.950777 vvv.xxx.yyy.zzz.1610 > fw1.mydomain.com.domain: 50879+ A? scsc.msg.yahoo.com. (36)
17:28:08.951464 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1610: 50879- 0/5/5 (206)
17:28:39.954283 vvv.xxx.yyy.zzz.1611 > fw1.mydomain.com.domain: 47011+ A? scsa.msg.yahoo.com.mydomain.com. (50)
17:28:39.954433 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1611: 47011 NXDomain*- 0/1/0 (101)
17:28:40.950588 vvv.xxx.yyy.zzz.1613 > fw1.mydomain.com.domain: 24995+ A? scsa.msg.yahoo.com. (36)
17:28:40.951228 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1613: 24995- 0/5/5 (206)
17:29:27.952897 vvv.xxx.yyy.zzz.1616 > fw1.mydomain.com.domain: 4521+ A? scsa.msg.yahoo.com.mydomain.com. (50)
17:29:27.953171 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1616: 4521 NXDomain*- 0/1/0 (101)
17:29:28.950409 vvv.xxx.yyy.zzz.1618 > fw1.mydomain.com.domain: 52904+ A? scsa.msg.yahoo.com. (36)
17:29:28.951099 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1618: 52904- 0/5/5 (206)
17:29:43.952421 vvv.xxx.yyy.zzz.1618 > fw1.mydomain.com.domain: 15784+ A? scsa.msg.yahoo.com.mydomain.com. (50)
17:29:43.952708 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1618: 15784 NXDomain*- 0/1/0 (101)
17:29:44.950058 vvv.xxx.yyy.zzz.1619 > fw1.mydomain.com.domain: 44459+ A? scsa.msg.yahoo.com. (36)
17:29:44.950669 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1619: 44459- 0/5/5 (206)
17:29:59.952003 vvv.xxx.yyy.zzz.1619 > fw1.mydomain.com.domain: 41130+ A? scsa.msg.yahoo.com.mydomain.com. (50)
17:29:59.952421 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1619: 41130 NXDomain*- 0/1/0 (101)
17:30:00.950007 vvv.xxx.yyy.zzz.1620 > fw1.mydomain.com.domain: 42157+ A? scsa.msg.yahoo.com. (36)
17:30:00.950675 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1620: 42157- 0/5/5 (206)
17:30:16.949844 vvv.xxx.yyy.zzz.1621 > fw1.mydomain.com.domain: 2476+ A? scsa.msg.yahoo.com. (36)
17:30:16.950427 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1621: 2476- 0/5/5 (206)
17:30:47.951325 vvv.xxx.yyy.zzz.1622 > fw1.mydomain.com.domain: 6319+ A? scsb.msg.yahoo.com.mydomain.com. (50)
17:30:47.951643 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1622: 6319 NXDomain*- 0/1/0 (101)
17:31:13.621703 vvv.xxx.yyy.zzz.1625 > fw1.mydomain.com.domain: 62675+ (55)
17:31:13.621944 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1625: 62675 NXDomain*- 0/1/0 (106)
17:31:14.621354 vvv.xxx.yyy.zzz.1626 > fw1.mydomain.com.domain: 49109+ A? auto.search.msn.com. (37)
17:31:14.621960 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1626: 49109- 0/5/5 (215)
17:31:22.496277 vvv.xxx.yyy.zzz.1627 > fw1.mydomain.com.domain: 33492+ A? scs.msg.yahoo.com. (35)
17:31:22.496520 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1627: 33492- 0/5/5 (205)
17:31:28.949597 vvv.xxx.yyy.zzz.1626 > fw1.mydomain.com.domain: 18388+ A? auto.search.msn.com.mydomain.com. (51)
17:31:28.949755 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1626: 18388 NXDomain*- 0/1/0 (102)
17:31:29.949345 vvv.xxx.yyy.zzz.1628 > fw1.mydomain.com.domain: 5591+ A? www.www.security-forums.com.com. (49)
17:31:29.949569 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1628: 5591- 0/3/3 (155)
17:31:36.949108 vvv.xxx.yyy.zzz.1627 > fw1.mydomain.com.domain: 18647+ A? scs.msg.yahoo.com.mydomain.com. (49)
17:31:36.949370 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1627: 18647 NXDomain*- 0/1/0 (100)
17:31:37.949293 vvv.xxx.yyy.zzz.1629 > fw1.mydomain.com.domain: 40150+ A? scsc.msg.yahoo.com. (36)
17:31:37.949588 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1629: 40150- 0/5/5 (206)
17:31:47.194848 vvv.xxx.yyy.zzz.1630 > fw1.mydomain.com.domain: 53208+ A? www.www.security-forums.com.org. (49)
17:31:47.195018 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1630: 53208- 0/2/2 (131)
17:31:52.948907 vvv.xxx.yyy.zzz.1629 > fw1.mydomain.com.domain: 44762+ A? scsc.msg.yahoo.com.mydomain.com. (50)
17:31:52.949181 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1629: 44762 NXDomain*- 0/1/0 (101)
17:31:53.950595 vvv.xxx.yyy.zzz.1634 > fw1.mydomain.com.domain: 47066+ A? scsa.msg.yahoo.com. (36)
17:32:03.183892 vvv.xxx.yyy.zzz.1630 > fw1.mydomain.com.domain: 7389+ (63)
17:32:03.184141 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1630: 7389 NXDomain*- 0/1/0 (114)
17:32:04.183542 vvv.xxx.yyy.zzz.1636 > fw1.mydomain.com.domain: 31452+ A? www.www.security-forums.com.net. (49)
17:32:04.183940 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1636: 31452- 0/13/11 (446)
17:32:08.948265 vvv.xxx.yyy.zzz.1634 > fw1.mydomain.com.domain: 223+ A? scsa.msg.yahoo.com.mydomain.com. (50)
17:32:08.948415 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1634: 223 NXDomain*- 0/1/0 (101)
17:32:09.949074 vvv.xxx.yyy.zzz.1637 > fw1.mydomain.com.domain: 40926+ A? scsa.msg.yahoo.com. (36)
17:32:09.949351 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1637: 40926- 0/5/5 (206)
17:32:20.183724 vvv.xxx.yyy.zzz.1636 > fw1.mydomain.com.domain: 50654+ (63)
17:32:20.184059 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1636: 50654 NXDomain*- 0/1/0 (114)
17:32:21.199089 vvv.xxx.yyy.zzz.1638 > fw1.mydomain.com.domain: 64734+ A? www.www.security-forums.com.edu. (49)
17:32:21.199557 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1638: 64734- 0/9/3 (259)
17:32:24.948042 vvv.xxx.yyy.zzz.1637 > fw1.mydomain.com.domain: 16350+ A? scsa.msg.yahoo.com.mydomain.com. (50)
17:32:24.948189 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1637: 16350 NXDomain*- 0/1/0 (101)
17:32:25.948990 vvv.xxx.yyy.zzz.1639 > fw1.mydomain.com.domain: 35777+ A? scsa.msg.yahoo.com. (36)
17:32:25.949592 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1639: 35777- 0/5/5 (206)
17:32:36.696376 203.177.13.55.1025 > fw1.mydomain.com.domain: 29342+ A? time.nist.gov. (31)
17:32:36.696913 fw1.mydomain.com.domain > 203.177.13.55.1025: 29342- 0/7/0 (159)
17:32:37.199194 vvv.xxx.yyy.zzz.1638 > fw1.mydomain.com.domain: 39105+ (63)
17:32:37.199418 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1638: 39105 NXDomain*- 0/1/0 (114)
17:32:38.199350 vvv.xxx.yyy.zzz.1640 > fw1.mydomain.com.domain: 44737+ A? auto.search.msn.com. (37)
17:32:38.200076 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1640: 44737- 0/5/5 (215)
17:32:40.947297 vvv.xxx.yyy.zzz.1639 > fw1.mydomain.com.domain: 38339+ A? scsa.msg.yahoo.com.mydomain.com. (50)
17:32:40.947581 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1639: 38339 NXDomain*- 0/1/0 (101)
17:32:41.948855 vvv.xxx.yyy.zzz.1641 > fw1.mydomain.com.domain: 42691+ A? scsa.msg.yahoo.com. (36)
17:32:41.949445 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1641: 42691- 0/5/5 (206)
17:32:52.946918 vvv.xxx.yyy.zzz.1640 > fw1.mydomain.com.domain: 19907+ A? auto.search.msn.com.mydomain.com. (51)
17:32:52.947188 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1640: 19907 NXDomain*- 0/1/0 (102)
17:32:55.026975 vvv.xxx.yyy.zzz.1642 > fw1.mydomain.com.domain: 24258+ A? auto.search.msn.com. (37)
17:32:55.027206 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1642: 24258- 0/5/5 (215)
17:32:56.946820 vvv.xxx.yyy.zzz.1641 > fw1.mydomain.com.domain: 64196+ A? scsa.msg.yahoo.com.mydomain.com. (50)
17:32:56.947098 fw1.mydomain.com.domain > vvv.xxx.yyy.zzz.1641: 64196 NXDomain*- 0/1/0 (101)

note:
fw1.mydomain.com - DNS server
vvv.xxx.yyy.zzz - the client that is sending malformed dns request

the client has a desktop firewall (outpost) which is the one reporting that the said client is sending malformed dns request to the server.

another thing, its not only happening (malformed dns request) when using our own dns server but also if we are using public dns server.

what makes this client do such a request?

is there a way to check it?
rasraven
Dec 6 2004, 09:00 AM
Seems a DNS-DoS ?
tikbalang
Dec 7 2004, 03:06 AM
yes it seems that way.

it makes connecting to sites hard. some sites are able to resolve, others not.

i'm curious where the problem is. as per the tcpdump on the dns server, the client is the one sending malformed request which it denied.

is there a way that the dns server is the one appending those stuff, that makes the request malformed?
tikbalang
Dec 9 2004, 02:35 PM
any suggestion?
yuliang111
Dec 16 2004, 07:40 AM
QUOTE(tikbalang @ Dec 9 2004, 02:35 PM)
any suggestion?
*




block the IP ?
FuzZyBeeR
Dec 16 2004, 08:52 AM
Is this no DNS poisening?

info : hxxp://www.lurhq.com/dnscache.pdf
tikbalang
Dec 16 2004, 09:59 AM
QUOTE(FuzZyBeeR @ Dec 16 2004, 08:52 AM)
Is this no DNS poisening?

info : hxxp://www.lurhq.com/dnscache.pdf
*



thanx for the info. i'll try it.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.