Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Odd DNS Traffic SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Odd DNS Traffic

We received a query from one of our readers earlier today asking about some odd DNS traffic that they have been seeing at their site over the last several months.

The traffic is directed at a DNS server that is acting only as a caching server for outbound queries which originate within the local site.  No inbound queries from the Internet are allowed.

The inbound traffic pattern is thus:

1) AN ICMP echo-request is sent to the local DNS server.
2) A UDP DNS query for the root DNS servers is sent to the local DNS server.
3) A UDP PTR query for the IP address of the local DNS server is sent to the local DNS server.
4) Last, a malformed TCP DNS packet is sent to the local DNS server.  This packet has the SYN flag set.

This traffic has come "from" many different sources IP addresses during this time. For a given
 instance of this traffic pattern, the four packets all come from the same source IP address.
If anyone else is seeing traffic like this, we like to hear from you.


78 Posts
Jul 5th 2007

Sign Up for Free or Log In to start participating in the conversation!