Ask Your Question
0

DNS amplification attack

asked 2019-01-15 19:17:03 +0000

Avni gravatar image

updated 2019-01-15 21:22:23 +0000

SYN-bit gravatar image

Hi I'm still learning how to use wireshark properly. Attaching the pcap for the reference. Was wondering if this looks like a DNS amplification attack.

Frame 2: 645 bytes on wire (5160 bits), 645 bytes captured (5160 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jan  8, 2019 16:13:17.000001000 Central Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1546985597.000001000 seconds
    [Time delta from previous captured frame: 0.000001000 seconds]
    [Time delta from previous displayed frame: 0.000001000 seconds]
    [Time since reference or first frame: 0.000001000 seconds]
    Frame Number: 2
    Frame Length: 645 bytes (5160 bits)
    Capture Length: 645 bytes (5160 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:dns]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Cisco_80:56:00 (50:87:89:80:56:00), Dst: F5Networ_8b:ea:c3 (00:23:e9:8b:ea:c3)
    Destination: F5Networ_8b:ea:c3 (00:23:e9:8b:ea:c3)
        Address: F5Networ_8b:ea:c3 (00:23:e9:8b:ea:c3)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_80:56:00 (50:87:89:80:56:00)
        Address: Cisco_80:56:00 (50:87:89:80:56:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.43.172.30, Dst: 159.180.162.56
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 631
    Identification: 0xe8ff (59647)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 59
    Protocol: UDP (17)
    Header checksum: 0xe63f [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.43.172.30
    Destination: 159.180.162.56
User Datagram Protocol, Src Port: 53, Dst Port: 36819
    Source Port: 53
    Destination Port: 36819
    Length: 611
    Checksum: 0x34ac [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
Domain Name System (response)
    Transaction ID: 0x9989
    Flags: 0x8010 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...1 .... = Non-authenticated data: Acceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 6
    Additional RRs: 3
    Queries
        PReS.sErVerHomE.Com: type A, class IN
            Name: PReS.sErVerHomE.Com
            [Name Length: 19]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Authoritative nameservers
        sErVerHomE.Com: type NS, class IN, ns dns2.sErVerHomE.Com
            Name: sErVerHomE.Com
            Type: NS (authoritative Name Server) (2)
            Class: IN ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-01-31 04:15:21 +0000

Hi,

A DNS amplification attack usually means that you are seeing "a lot" of DNS responses for queries that did not originate from your device. (what is "a lot" depends on various factors but one is the bandwidth of your connection)

So if you captured "a lot" of these then it may be a DNS amplification attack.

It looks like this packet is coming from one of the GTLD servers for dot COM.

The source IPv4 address 192.43.172.30 is a match for i.gtld-servers.net

The packet could be forged but it looks legit.

Hope this helps.

Cheers,

JF

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-01-15 19:17:03 +0000

Seen: 2,981 times

Last updated: Jan 31 '19