[Dshield] odd udp port 0 traffic

James Affeld jimmythegeek at techemail.com
Thu Mar 18 08:26:29 GMT 2004


There's a host that pings a DNS cache of mine about every two hours.  Then one or two times a day it sends an unsolicited DNS query response "format error"

I have a tcpdump audit log so I can see that there is no query that would elicit such a response.  Nothing outbound at all to that host except echo replies.  There are so many stupid DNS tricks that I am inclined to attribute this to stupidity, rather than malice.  What do you think?

18:35:46.117195 216.74.145.71.53 > A.B.C.8.0:  [udp sum ok] 48588 FormErr [0q] 0/0/)
  0000: 4500 0040 bdcc 0000 0111 89aa d84a 9147  E..@½Ì.....ªØJ.G
  0010: a89c 6008 0035 0000 002c 4edc bdcc 8081  ¨.`..5...,NܽÌ..
  0020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................

18:35:47.127916 216.74.145.71.53 > A.B.C.8.0:  [udp sum ok] 48589 FormErr [0q] 0/0/)
  0000: 4500 0040 bdcd 0000 0111 89a9 d84a 9147  E..@½Í.....©ØJ.G
  0010: a89c 6008 0035 0000 002c 4edb bdcd 8081  ¨.`..5...,NÛ½Í..
  0020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................

18:35:48.137160 216.74.145.71.53 > A.B.C.8.0:  [udp sum ok] 48590 FormErr [0q] 0/0/)
  0000: 4500 0040 bdce 0000 0111 89a8 d84a 9147  E..@½Î.....¨ØJ.G
  0010: a89c 6008 0035 0000 002c 4eda bdce 8081  ¨.`..5...,NÚ½Î..
  0020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................


_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com




More information about the list mailing list