This is an automated archive.
The original was posted on /r/cybersecurity by /u/tinkerwannabe on 2023-09-23 06:57:32+00:00.
I’m having a bit of trouble understanding the nature of this ddos attack capture file for my assessment.
It’s full of 40 DNS queries with 7~8 sources like Cisco, Dell, Microsoft, etc, but the source ip addresses are all unique. From my understanding, this is DRDoS, using trusted DNS servers as reflectors to send messages to a victim.
What I don’t understand is that isn’t this supposed to send responses to the victim, not queries? Am I overthinking or is there something I’m missing?
I’m sorry I cannot post an image here, I don’t know why. But below is some sample packets exported to txt
No. Time Source Destination Protocol Length Info 1 0.000000 183.91.255.86 203.217.203.111 DNS 70 Standard query 0x0323 A secure.net
Frame 1: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Ethernet II, Src: Dell_dc:4e:96 (00:13:72:dc:4e:96), Dst: Microsof_c2:11:2f (00:03:ff:c2:11:2f) Internet Protocol Version 4, Src: 183.91.255.86, Dst: 203.217.203.111 User Datagram Protocol, Src Port: 6575, Dst Port: 53 Domain Name System (query)
No. Time Source Destination Protocol Length Info 2 0.000000 223.191.235.182 203.217.203.111 DNS 70 Standard query 0xcfdb A secure.net
Frame 2: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Ethernet II, Src: Intel_61:94:cb (00:02:b3:61:94:cb), Dst: Microsof_c2:11:2f (00:03:ff:c2:11:2f) Internet Protocol Version 4, Src: 223.191.235.182, Dst: 203.217.203.111 User Datagram Protocol, Src Port: 36837, Dst Port: 53 Domain Name System (query)
No. Time Source Destination Protocol Length Info 3 0.000000 247.248.101.125 203.217.203.111 DNS 70 Standard query 0xbfa1 A secure.net
Frame 3: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Ethernet II, Src: LenovoMo_b3:2d:ad (00:12:fe:b3:2d:ad), Dst: Microsof_c2:11:2f (00:03:ff:c2:11:2f) Internet Protocol Version 4, Src: 247.248.101.125, Dst: 203.217.203.111 User Datagram Protocol, Src Port: 23137, Dst Port: 53 Domain Name System (query)
Please tell me if I need to provide any additional information.
You must log in or # to comment.