[Dshield] odd udp port 0 traffic

Funk Jr, Joseph C. jcfunkjr at co.bucks.pa.us
Thu Mar 18 21:23:30 GMT 2004


Check this out, this looks very interesting http://people.ists.dartmouth.edu/~gbakos/bindsweep/ 

about malformed DNS messages involving format error and a possible cause, a virus, called W32/Calypso-tr.

As far as the purpose of the traffic, according to the above link, "it could "result in a denial-of-service (DoS) attack if the server attempts to parse the packet but is unable to"".

and finally directs to this link about the above http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=526 for a description of the W32/Calypso-tr virus if this is in fact the culprit.

Sidenote, that IP was detected by a fake open relay 'honeypot' back in 2002 doing pings every 40 minutes, along with a few other IP's.  Here is the english translation of the posting (its a poor translation but you get the drift).



Joseph C Funk Jr

-----Original Message-----
From: James Affeld [mailto:jimmythegeek at techemail.com]
Sent: Thursday, March 18, 2004 3:26 AM
To: list at dshield.org
Subject: [Dshield] odd udp port 0 traffic


There's a host that pings a DNS cache of mine about every two hours.  Then one or two times a day it sends an unsolicited DNS query response "format error"

I have a tcpdump audit log so I can see that there is no query that would elicit such a response.  Nothing outbound at all to that host except echo replies.  There are so many stupid DNS tricks that I am inclined to attribute this to stupidity, rather than malice.  What do you think?

18:35:46.117195 216.74.145.71.53 > A.B.C.8.0:  [udp sum ok] 48588 FormErr [0q] 0/0/)
  0000: 4500 0040 bdcc 0000 0111 89aa d84a 9147  E..@½Ì.....ªØJ.G
  0010: a89c 6008 0035 0000 002c 4edc bdcc 8081  ¨.`..5...,NܽÌ..
  0020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................

18:35:47.127916 216.74.145.71.53 > A.B.C.8.0:  [udp sum ok] 48589 FormErr [0q] 0/0/)
  0000: 4500 0040 bdcd 0000 0111 89a9 d84a 9147  E..@½Í.....©ØJ.G
  0010: a89c 6008 0035 0000 002c 4edb bdcd 8081  ¨.`..5...,NÛ½Í..
  0020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................

18:35:48.137160 216.74.145.71.53 > A.B.C.8.0:  [udp sum ok] 48590 FormErr [0q] 0/0/)
  0000: 4500 0040 bdce 0000 0111 89a8 d84a 9147  E..@½Î.....¨ØJ.G
  0010: a89c 6008 0035 0000 002c 4eda bdce 8081  ¨.`..5...,NÚ½Î..
  0020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................


_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list