DNS amplification attack
Hi I'm still learning how to use wireshark properly. Attaching the pcap for the reference. Was wondering if this looks like a DNS amplification attack.
Frame 2: 645 bytes on wire (5160 bits), 645 bytes captured (5160 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Jan 8, 2019 16:13:17.000001000 Central Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1546985597.000001000 seconds
[Time delta from previous captured frame: 0.000001000 seconds]
[Time delta from previous displayed frame: 0.000001000 seconds]
[Time since reference or first frame: 0.000001000 seconds]
Frame Number: 2
Frame Length: 645 bytes (5160 bits)
Capture Length: 645 bytes (5160 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Cisco_80:56:00 (50:87:89:80:56:00), Dst: F5Networ_8b:ea:c3 (00:23:e9:8b:ea:c3)
Destination: F5Networ_8b:ea:c3 (00:23:e9:8b:ea:c3)
Address: F5Networ_8b:ea:c3 (00:23:e9:8b:ea:c3)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_80:56:00 (50:87:89:80:56:00)
Address: Cisco_80:56:00 (50:87:89:80:56:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.43.172.30, Dst: 159.180.162.56
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 631
Identification: 0xe8ff (59647)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 59
Protocol: UDP (17)
Header checksum: 0xe63f [validation disabled]
[Header checksum status: Unverified]
Source: 192.43.172.30
Destination: 159.180.162.56
User Datagram Protocol, Src Port: 53, Dst Port: 36819
Source Port: 53
Destination Port: 36819
Length: 611
Checksum: 0x34ac [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Domain Name System (response)
Transaction ID: 0x9989
Flags: 0x8010 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...1 .... = Non-authenticated data: Acceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 0
Authority RRs: 6
Additional RRs: 3
Queries
PReS.sErVerHomE.Com: type A, class IN
Name: PReS.sErVerHomE.Com
[Name Length: 19]
[Label Count: 3]
Type: A (Host Address) (1)
Class: IN (0x0001)
Authoritative nameservers
sErVerHomE.Com: type NS, class IN, ns dns2.sErVerHomE.Com
Name: sErVerHomE.Com
Type: NS (authoritative Name Server) (2)
Class: IN ...add a comment
