Hosting Provided By

DNS help

From: larosa, vjay <larosa_vjay(at)emc.com>
Date: Wed Dec 11 2002 - 16:09:49 EST

Hello,

These packets were caught using a shadow IDS sensor. I was hoping that somebody
in the list could help me understand what is happening below. I am familiar with snort
and tcpdump, as well as the concept of packet fragmentation. I am mostly interested in
finding out about the DNS requests being made, and why they are coming back fragmented.

TIA. vjl

12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162
[1au][|domain] (DF)

12:15:24.152128 DNS.server.com.33795 > outside.guy.com.domain: 46806
[1au][|domain] (DF)

12:15:24.157454 DNS.server.com.33795 > outside.guy.com.domain: 9239
[1au][|domain] (DF)

12:15:24.158551 DNS.server.com.33795 > outside.guy.com.domain: 46805
[1au][|domain] (DF)

12:15:24.159592 DNS.server.com.33795 > outside.guy.com.domain: 50353
[1au][|domain] (DF)

12:15:24.160626 DNS.server.com.33795 > outside.guy.com.domain: 17807
[1au][|domain] (DF)

12:15:24.161826 DNS.server.com.33795 > outside.guy.com.domain: 19219
[1au][|domain] (DF)

12:15:24.163753 DNS.server.com.33795 > outside.guy.com.domain: 59633
[1au][|domain] (DF)

12:15:24.164545 DNS.server.com.33795 > outside.guy.com.domain: 18273
[1au][|domain] (DF)

12:15:24.165679 DNS.server.com.33795 > outside.guy.com.domain: 48440
[1au][|domain] (DF)

12:15:24.166673 DNS.server.com.33795 > outside.guy.com.domain: 61217
[1au][|domain] (DF)

12:15:24.167800 DNS.server.com.33795 > outside.guy.com.domain: 29311
[1au][|domain] (DF)

12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795: 56162[|domain] (frag 48818:1480@0+)
12:15:24.171040 outside.guy.com > DNS.server.com: (frag 48818:575@1480) 12:15:24.295598 outside.guy.com.domain > DNS.server.com.33795: 46806[|domain] (frag 48819:1480@0+)
12:15:24.295649 outside.guy.com > DNS.server.com: (frag 48819:575@1480) 12:15:24.333422 outside.guy.com.domain > DNS.server.com.33795: 9239[|domain] (frag 48820:1480@0+)
12:15:24.333473 outside.guy.com > DNS.server.com: (frag 48820:575@1480) 12:15:24.360503 outside.guy.com.domain > DNS.server.com.33795: 46805[|domain] (frag 48821:1480@0+)
12:15:24.360554 outside.guy.com > DNS.server.com: (frag 48821:575@1480) 12:15:24.392889 outside.guy.com.domain > DNS.server.com.33795: 50353[|domain] (frag 48822:1480@0+)
12:15:24.392940 outside.guy.com > DNS.server.com: (frag 48822:575@1480) 12:15:24.428942 outside.guy.com.domain > DNS.server.com.33795: 17807[|domain] (frag 48823:1480@0+)
12:15:24.428994 outside.guy.com > DNS.server.com: (frag 48823:575@1480) 12:15:24.459730 outside.guy.com.domain > DNS.server.com.33795: 19219[|domain] (frag 48824:1480@0+)
12:15:24.459781 outside.guy.com > DNS.server.com: (frag 48824:575@1480) 12:15:24.494179 outside.guy.com.domain > DNS.server.com.33795: 59633[|domain] (frag 48825:1480@0+)
12:15:24.494232 outside.guy.com > DNS.server.com: (frag 48825:575@1480) 12:15:24.525783 outside.guy.com.domain > DNS.server.com.33795: 18273[|domain] (frag 48826:1480@0+)
12:15:24.525841 outside.guy.com > DNS.server.com: (frag 48826:575@1480) 12:15:24.559128 outside.guy.com.domain > DNS.server.com.33795: 48440[|domain] (frag 48827:1480@0+)
12:15:24.559176 outside.guy.com > DNS.server.com: (frag 48827:575@1480) 12:15:24.594751 outside.guy.com.domain > DNS.server.com.33795: 61217[|domain] (frag 48828:1480@0+)
12:15:24.594801 outside.guy.com > DNS.server.com: (frag 48828:575@1480) 12:15:24.624849 outside.guy.com.domain > DNS.server.com.33795: 29311[|domain] (frag 48829:1480@0+)
12:15:24.624903 outside.guy.com > DNS.server.com: (frag 48829:575@1480) 12:23:55.499215 DNS.server.com.33795 > outside.guy.com.domain: 4322
[1au][|domain] (DF)

12:23:55.641310 outside.guy.com.domain > DNS.server.com.33795: 4322[|domain] (frag 48830:1480@0+)
12:23:55.641364 outside.guy.com > DNS.server.com: (frag 48830:575@1480) 12:26:55.978869 ns2.lss.emc.com.61962 > outside.guy.com.domain: 40970
[1au][|domain] (DF)

12:26:56.127074 outside.guy.com.domain > ns2.lss.emc.com.61962: 40970[|domain] (frag 6266:1480@0+)
12:26:56.127125 outside.guy.com > ns2.lss.emc.com: (frag 6266:575@1480)

V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay@emc.com

(508)497-8082 fax

V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay@emc.com

(508)497-8082 fax

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Dec 11 17:22:49 2002

This message: [ Message body ]
Next message: Valdis.Kletnieks(at)vt.edu: "Re: Odd entries in my Security Router logs"
Previous message: David Gillett: "RE: Odd entries in my Security Router logs"
Next in thread: Valdis.Kletnieks(at)vt.edu: "Re: DNS help"
Reply: Valdis.Kletnieks(at)vt.edu: "Re: DNS help"
Reply: larosa, vjay: "RE: DNS help"
Reply: Faron.Golden(at)Gunter.AF.mil: "RE: DNS help"
Reply: larosa, vjay: "FW: CodeRed Observations."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT