[nos-bbs] malformed DNS etc

jj ve1jot at eastlink.ca
Mon Mar 22 00:57:15 EDT 2021 

I could be mistaken, but isn't there a DNS attack vector (DNS amplify) 
out in the wild? I seem to remember hearing about this last year or 
so...I think it uses malformed packets to amplify DNS DDOS attacks..but 
I could be wrong...usually am lol ;-)


On 2021-03-21 1:00 p.m., nos-bbs-request at lists.tapr.org wrote:
> Send nos-bbs mailing list submissions to
> 	nos-bbs at lists.tapr.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.tapr.org/mailman/listinfo/nos-bbs_lists.tapr.org
> or, via email, send a message with subject or body 'help' to
> 	nos-bbs-request at lists.tapr.org
>
> You can reach the person managing the list at
> 	nos-bbs-owner at lists.tapr.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of nos-bbs digest..."
>
>
> Today's Topics:
>
>     1. malformed DNS packets, NOS crashing, and a first fix ...
>        (M Langelaar)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 20 Mar 2021 15:33:56 -0500
> From: M Langelaar <maiko at pcsinternet.ca>
> To: TAPR xNOS Mailing List <nos-bbs at lists.tapr.org>
> Subject: [nos-bbs] malformed DNS packets, NOS crashing, and a first
> 	fix ...
> Message-ID: <ff76b332-ccf7-00d8-3f23-14a5e87bd6ca at pcsinternet.ca>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> Good day,
>
> What I originally thought was DNS attacks, seem to be more a case of
> JNOS querying
> some DNS server, and getting a malformed response, looks like it
> anyways. Thanks to
> Jean for the PI time and allowing me access, and Janusz for his gdb
> reports and such.
>
> It does happen, sometimes it suggests networking issues or other
> factors, I'm not an
> expert on what causes malformed responses, outside of malicious activity
> ... so at the
> same time if you see 'malformed dns packet' it doesn't mean the firewall
> should come
> out right away ? any experts out there to add to this or correct my
> train of thought ?
>
> I have a patch (technically very simple, checking qdcount for starters)
> that should be a
> big help in stopping JNOS from crashing on most malformed DNS packets. I
> suspect
> the reports I hear from time to time about JNOS crashing all the time,
> could very well
> be because of this DNS issue. Seems to be more prevalent these days I hear.
>
> You can rsync (if you already do) or you can download specific patch below :
>
>   ?? https://www.langelaar.net/jnos2/januszDNSfix.tar
>
> It contains domhdr.c, domain.[ch], most of those have not changed for
> eons, so you can
> probably work them into any version of JNOS from the past few years or
> so. Make sure,
> and do a diff just to be on the safe side. I have also improved the
> error logging for some
> of the DNS packet functions. If you get a malformed packet, logfile will
> now say so, and
> you should see the IP address of the server in question.
>
> This is the first fix, I'm sure it will get refined over time.
>
> Maiko / VE4KLM
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at lists.tapr.org
> http://lists.tapr.org/mailman/listinfo/nos-bbs_lists.tapr.org
>
>
> ------------------------------
>
> End of nos-bbs Digest, Vol 191, Issue 9
> ***************************************

More information about the nos-bbs mailing list