> I have the same problem, now I'm blocking this attempts with iptables and
> the Recent module when a number of tries is reached.
>
> This is the content of the packet:
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
>
> 11/20/05-19:17:37.177173 168.143.XXX.XX:11752 -> YYY.YYY.Y.YY:53
> UDP TTL:233 TOS:0x0 ID:34960 IpLen:20 DgmLen:68 DF
> Len: 48
> 0x0000: 00 07 95 C2 6A 32 00 04 76 DA CB 14 08 00 45 00 ....j2..v.....E.
> 0x0010: 00 44 88 90 40 00 E9 11 2A D5 A8 8F 71 0A C0 A8 .D.. (at) . (dot) . [email concealed]*...q...
> 0x0020: 04 01 2D E8 00 35 00 30 00 00 20 9E 01 00 00 01 ..-..5.0.. .....
> 0x0030: 00 00 00 00 00 01 01 65 05 6D 70 69 73 69 03 63 .......e.mpisi.c
> 0x0040: 6F 6D 00 00 FF 00 FF 00 00 29 27 10 00 00 00 00 om.......)'.....
> 0x0050: 00 00 ..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
Interesting. This packet allegedly came from www.anonymizer.com
(168.143.113.10). It apparently has undergone NAT, so its contents
might have been garbled, but: In contrast to Piotr's packets, this one
does contain an OPT RR (type 0x29). The sender buffer length (encoded
in the class field of the RR) is set to 10000.
> I have the same problem, now I'm blocking this attempts with iptables and
> the Recent module when a number of tries is reached.
>
> This is the content of the packet:
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
>
> 11/20/05-19:17:37.177173 168.143.XXX.XX:11752 -> YYY.YYY.Y.YY:53
> UDP TTL:233 TOS:0x0 ID:34960 IpLen:20 DgmLen:68 DF
> Len: 48
> 0x0000: 00 07 95 C2 6A 32 00 04 76 DA CB 14 08 00 45 00 ....j2..v.....E.
> 0x0010: 00 44 88 90 40 00 E9 11 2A D5 A8 8F 71 0A C0 A8 .D.. (at) . (dot) . [email concealed]*...q...
> 0x0020: 04 01 2D E8 00 35 00 30 00 00 20 9E 01 00 00 01 ..-..5.0.. .....
> 0x0030: 00 00 00 00 00 01 01 65 05 6D 70 69 73 69 03 63 .......e.mpisi.c
> 0x0040: 6F 6D 00 00 FF 00 FF 00 00 29 27 10 00 00 00 00 om.......)'.....
> 0x0050: 00 00 ..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
Interesting. This packet allegedly came from www.anonymizer.com
(168.143.113.10). It apparently has undergone NAT, so its contents
might have been garbled, but: In contrast to Piotr's packets, this one
does contain an OPT RR (type 0x29). The sender buffer length (encoded
in the class field of the RR) is set to 10000.
[ reply ]