Wireshark · Ethereal-users: RE: [Ethereal-users] Re: DNS Malformed Packet

Ethereal-users: RE: [Ethereal-users] Re: DNS Malformed Packet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Visser, Martin" <martin.visser@xxxxxx>

Date: Wed, 4 May 2005 17:13:06 +1000

Yep, you're right. I was misled by Ethereal in that if you select the
"Fragment offset" in the Packet Details window, of course it highlights
the full 2 bytes in the Packet Bytes windows. Of course, I forgot to
check that something else, the flags,  uses the same byte range.

But as you said certainly it looks like a DOS with a nonsense DNS query.
I imagine that no DNS server though would react to such a packet
  

Martin Visser, CISSP
Network and Security Consultant 
Consulting & Integration
Technology Solutions Group - HP Services

410 Concord Road
Rhodes NSW  2138
Australia 

Mobile: +61-411-254-513
Fax: +61-2-9022-1800     
E-mail: martin.visser@xxxxxx

This email (including any attachments) is intended only for the use of
the individual or entity named above and may contain information that is
confidential, proprietary or privileged. If you are not the intended
recipient, please notify HP immediately by return email and then delete
the email, destroy any printed copy and do not disclose or use the
information in it.


-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of ronnie
sahlberg
Sent: Wednesday, 4 May 2005 4:12 PM
To: Ethereal user support
Subject: [Ethereal-users] Re: DNS Malformed Packet

No,  the fragment offset is correct.
The top 3 bits of this 16 bit field are flags.

His packet has  DontFragment bit set  and offset:0

Your packet also has offset:0  but not the DontFragment bit.


it looks like a denial of service attack   


On 5/4/05, Visser, Martin <martin.visser@xxxxxx> wrote:
>  
> You may are probably right (regarding Denial Of Service attempt). It 
> might be useful if you can use the "Decode as" function to force 
> decoding as DNS (or at least IP).
> 
> However I have compared your trace with a valid DNS request that I
have.
> At offset 0x14 you have the value 0x4000 whereas my standard request 
> has the value 0x0000. These two bytes are the IP fragment offset 
> field. What this means, is that this packet is instructing you that 
> the payload in this IP packet should be "glued" on to the previous 
> payload on this connection contents at an offset of 0x4000 (16384) x 8

> bytes (or 131072
> bytes) after the first fragment. This would be unusual for a DNS 
> request (very big request indeed!!!)
> 
> Basically you have received a IP fragmentation attack. It may well be 
> causing your host to allocate more buffer space than it ought.
> 
> You may want to investigate and patch it appropriately. 
>    
> 
> 
>   
> 
> Martin Visser, CISSP
> Network and Security Consultant
> Consulting & Integration
> Technology Solutions Group - HP Services
> 
> 410 Concord Road
> Rhodes NSW  2138
> Australia
> 
> Mobile: +61-411-254-513
> Fax: +61-2-9022-1800     
> E-mail: martin.visser@xxxxxx
> 
> This email (including any attachments) is intended only for the use of

> the individual or entity named above and may contain information that 
> is confidential, proprietary or privileged. If you are not the 
> intended recipient, please notify HP immediately by return email and 
> then delete the email, destroy any printed copy and do not disclose or

> use the information in it.
> 
> 
> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jim Gonzalez
> Sent: Wednesday, 4 May 2005 8:10 AM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] DNS Malformed Packet
> 
> Hello,
>         I used ethereal to diagnose a problem with my network this 
> morning but I can not find a resolution. I think this was some type of

> DOS. I did have some packet loss to my core router. Can someone 
> explain this occurrence and possibility direct me to some more 
> information. here is the captured packet. Info on the is Unknown 
> operation (6) [Malformed Packet]
> 
> 
> 0000  00 0f 1f 70 02 6c 00 e0  52 e9 02 00 08 00 45 00   ...p.l..
> R.....E.
> 0010  00 2b 2c fd 40 00 37 11  4f 47 45 09 a6 22 40 b1   .+,[email protected].
> OGE.."@.
> 0020  9b a1 81 8e 00 35 00 17  e7 ed 30 31 32 33 34 35   .....5..
> ..012345
> 0030  36 37 38 39 41 42 43 44  45 00 00 00               6789ABCD E...
> 
> 
> Thanks
> Jim Gonzalez
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Prev by Date: [Ethereal-users] Re: DNS Malformed Packet
Next by Date: [Ethereal-users] Specifying interface at command line in windows
Previous by thread: RE: [Ethereal-users] Export & Save
Next by thread: [Ethereal-users] Specifying interface at command line in windows
Index(es):
- Date
- Thread