[Dshield] UDP/65535 and Tcpdump Help

MH procana at insight.rr.com
Fri Oct 22 16:26:23 GMT 2004

Thanks Justin for sending me your capture files.

After analyzing the trace files some things jump out
immediately. They look just like crafted/malformed 
DNS queries. 

Here is a representative payload snipit:
11ef 0035 0019 2374 71f7 0100  0001 0000 0000 0000 0000 0200 0100       

The source port is always 0x11ef (4591) and the
destination port is always 0x0035 (53). 
The length is 0x0019 (25 bytes)
The checksum and transaction id remain the same
for each unique source ip address.
Then 0x0100 would indicate a standard query and
0x0001 is one question.  
0000, 0000, 0000 are answer rr , auth rr and additional rr respectively.

However, there is no real query that follows and according to
the fragmentation flags, this is the last "fragment".

The fact that the fragmentation offset is non-zero is pretty strange.
I imagine that this would be an attempt to bypass a non-stateful or
poorly configured screening device.

I would guess that this would be an attempt to dos a DNS server with the 
malformed query.  However, I don't know of a system that would
process these packets.  It seems that most stacks would just
discard the fragment.

Other ideas?

Hope this helps,

More information about the list mailing list