[noob alert] Can I get some help with analysing a ddos with wireshark? - eviltoast
This is an automated archive.

The original was posted on /r/cybersecurity by /u/tinkerwannabe on 2023-09-23 06:57:32+00:00.


I’m having a bit of trouble understanding the nature of this ddos attack capture file for my assessment.

It’s full of 40 DNS queries with 7~8 sources like Cisco, Dell, Microsoft, etc, but the source ip addresses are all unique. From my understanding, this is DRDoS, using trusted DNS servers as reflectors to send messages to a victim.

What I don’t understand is that isn’t this supposed to send responses to the victim, not queries? Am I overthinking or is there something I’m missing?

I’m sorry I cannot post an image here, I don’t know why. But below is some sample packets exported to txt

No.     Time           Source                Destination           Protocol Length Info 1 0.000000       183.91.255.86         203.217.203.111       DNS      70     Standard query 0x0323 A secure.net
Frame 1: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Ethernet II, Src: Dell_dc:4e:96 (00:13:72:dc:4e:96), Dst: Microsof_c2:11:2f (00:03:ff:c2:11:2f) Internet Protocol Version 4, Src: 183.91.255.86, Dst: 203.217.203.111 User Datagram Protocol, Src Port: 6575, Dst Port: 53 Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info 2 0.000000       223.191.235.182       203.217.203.111       DNS      70     Standard query 0xcfdb A secure.net
Frame 2: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Ethernet II, Src: Intel_61:94:cb (00:02:b3:61:94:cb), Dst: Microsof_c2:11:2f (00:03:ff:c2:11:2f) Internet Protocol Version 4, Src: 223.191.235.182, Dst: 203.217.203.111 User Datagram Protocol, Src Port: 36837, Dst Port: 53 Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info 3 0.000000       247.248.101.125       203.217.203.111       DNS      70     Standard query 0xbfa1 A secure.net
Frame 3: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Ethernet II, Src: LenovoMo_b3:2d:ad (00:12:fe:b3:2d:ad), Dst: Microsof_c2:11:2f (00:03:ff:c2:11:2f) Internet Protocol Version 4, Src: 247.248.101.125, Dst: 203.217.203.111 User Datagram Protocol, Src Port: 23137, Dst Port: 53 Domain Name System (query)

Please tell me if I need to provide any additional information.