[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Mike Spencer mspencer at tallships.ca
Mon Jun 30 02:48:53 ADT 2014

me> I'm seeing (with tcpdump running in an xterm behind whatever I'm
me> doing) numerous packets, variously:
me>    + source port 53, reporting ServFail
me>    + source port 53, reporting NXDomain
me>    + ICMP reporting "udp port 53 unreachable"

CT> Sorry to come in late but... What were you doing? What command or
CT> filter did you use? What was the full output? What is/was your Ip?
CT> Is your traffic natted? Are you using a vlan?

Home Linux box; on dialup; IP address at the time which
my ISP assigns from Eastlink's; single user; not a
server. No background process running that do network stuff. Nobody is
piggybacking on a wireless router.

Running tcpdump invoked to ignore most traffic (web browsing, Usenet,
mail check)[1]. 

What I was seeing was like these:

    02:58:54.788688 IP > ICMP 
                    udp port 53 unreachable, length 70

    02:59:24.048691 IP >  
                    1907 ServFail 0/0/0 (42)

    03:00:13.948690 IP >  
                    62834 NXDomain 0/0/0 (34)

205 unique source address in just under an hour, one packet per src address.

I found mention of DNS flooding on the net. Presumably people could be
forging my IP address in packets meant to DOS DNS and then I would get
the replies. Doesn't look like that's happening here. The source hosts
are all sorts, many with names that look like subscriber lines.

It appears that numerous people/hosts are sending unsolicited DNS
replies.  I wonder why, what's happening.

Not seeing it tonight.  My usual ISP is down and the backup ISP
seems to have different filters in place. Only one DNS packet and it's
an ANY request for census.gov from (no rDNS) someplace in USA:PA.

- Mike


tcpdump -n  ${OPT_INTERFACE} "\! host ( $TD_NEWS_SERVER ||            \
            $TD_DNS_SERVER || $TD_MAIL_SERVER  ) && \! ($RIP_PROBER)  \
            && \! (src host $DYNADDR && dst port 80) && \! (src port  \
            80 && dst host $DYNADDR) && \! ((src host $GATE || src    \
            host $DYNADDR) && icmp) && \! (icmp && icmp[icmptype] ==  \
            icmp-redirect) && \! port 123"

Now that I look at this, it's probably time for a revision. :-)

Michael Spencer                  Nova Scotia, Canada       .~. 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^

More information about the nSLUG mailing list