bsdjunkie
October 20th, 2004, 16:57
Been seeing this for awhile now, and just today someone else posted to dshield, and I got another confirmation from a friend in Canada that sees it. Any ideas of what this is, or if you see it as well would be helpful ;) Its random IPs from a Class C in Russia talking to DNS servers.

0.000000 83.102.166.23 -> a.b.c.d IP Fragmented IP protocol (proto=UDP 0x11, off=512)

0000 00 02 b3 d5 27 9e 00 05 5f bb 70 08 08 00 45 00 ....'..._.p...E.
0010 00 2d 11 87 00 40 37 11 6a 21 53 66 a6 17 xx xx .-...@7.j!Sf..?N
0020 xx xx 11 ef 00 35 00 19 6f c7 71 f7 01 00 00 01 .....5..o.q.....
0030 00 00 00 00 00 00 00 00 02 00 01 00 d9 7f e2 fb ................

4.013014 83.102.166.44 -> a.b.c.d IP Fragmented IP protocol (proto=UDP 0x11, off=512)

0000 00 02 b3 d5 27 9e 00 05 5f bb 70 08 08 00 45 00 ....'..._.p...E.
0010 00 2d 83 b5 00 40 37 11 f7 dd 53 66 a6 2c xx xx .-...@7...Sf.,?N
0020 xx xx 11 ef 00 35 00 19 6f b2 71 f7 01 00 00 01 .....5..o.q.....
0030 00 00 00 00 00 00 00 00 02 00 01 00 6f aa 8f f8 ............o...

9.165602 83.102.166.131 -> a.b.c.d IP Fragmented IP protocol (proto=UDP 0x11, off=512)

0000 00 02 b3 d5 27 9e 00 05 5f bb 70 08 08 00 45 00 ....'..._.p...E.
0010 00 2d a7 4e 00 40 37 11 d3 ed 53 66 a6 83 xx xx .-.N.@7...Sf..?N
0020 xx xx 11 ef 00 35 00 19 6f 5b 71 f7 01 00 00 01 .....5..o[q.....
0030 00 00 00 00 00 00 00 00 02 00 01 00 34 16 5c 84 ............4.\.

0.000000 83.102.166.58 -> a.b.c.d IP Fragmented IP protocol (proto=UDP 0x11, off=512)

0000 00 02 b3 d5 27 9e 00 05 5f bb 70 08 08 00 45 00 ....'..._.p...E.
0010 00 2d 54 ab 00 40 37 11 26 da 53 66 a6 3a xx xx .-T..@7.&.Sf.:?N
0020 xx xx 11 ef 00 35 00 19 6f a4 71 f7 01 00 00 01 .....5..o.q.....
0030 00 00 00 00 00 00 00 00 02 00 01 00 5b e8 16 e0 ............[...

elmore
October 20th, 2004, 17:05
Why don't you just turn off recursion on your public BIND servers. Or implement appropriate ACLs. In either case I'm not seeing any of that traffic on the public DNS servers for my company here. I will be on the lookout for it now.