[prev in list] [next in list] [prev in thread] [next in thread]
List: ethereal-users
Subject: [Ethereal-users] RE: Ethereal DNS Traffic Storm
From: Rahul Sawarkar <torahuls () vsnl ! com>
Date: 2004-03-30 3:42:31
Message-ID: 4068E9D7.4030304 () vsnl ! com
[Download RAW message or body]
> On 26. Mar 2004, at 19:25 Uhr, Wescott, David H wrote:
>
>
> > Clarified Post:
> >
> > Just to clarify, this is not normal DNS traffic. Consider that the rate is 1000+ \
> > frames per second, and that this traffic is going to all configured DNS servers \
> > simultaneously.
>> In addition, these are not the expected DNS queries carried by UDP. These are \
TCP SYN frames to port 53.
>>When the DNS server responds with a SYN ACK, the Ethereal client aborts the \
connection with a TCP RESET.
>> his traffic is continuous until Ethereal is aborted, and no DNS information is \
gained, since all these port 53 connection attempts are unsuccessful.
>>In one case, an impacted user left their machine running in this state for 3 hours \
and this high rate of DNS traffic was constant for the entire time.
>> We have observed that this condition occurs during display and not capture, and \
that it will push the client CPU to 100%.
>>we believe that this is some type of bug, and not normal DNS traffic. This \
condition only occurs when Ethereal is used, and of course only if DNS lookups are \
enabled. >> However, we would like to get this corrected, so that DNS lookups can \
be used.
FYI:
DNS header has a flags field with a TC bit that indicates if the data is truncated - \
When a DNS UDP reply packet exceeds 512 bytes
When the resolver receives a response to a query with the TC bit set, it issues the \
same query again using TCP. This allows more than 512 bytes to be returned because \
TCP can data in segments...
Zone transfers are also done using TCP because of the large transfers.
So its not that DNS TCP SYNs to nameserver:53 that worry me rather
> Consider that the rate is 1000+ frames per second, and that this traffic is going \
> to all
> > configured DNS servers simultaneously.
Looks like poor man's version of a denial of service hack to me...
Rgrds
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic