I0OJJ > JNOS 21.03.21 01:55z 106 Lines 3696 Bytes #55 (0) @ WW
BID : 356G_I0OJJ
Subj: Re: malformed DNS packets, NOS crashing, and a first fix ..
Sent: 210321/0135z @:I0OJJ.ITA.EU [Rome] $:356G_I0OJJ
>From email@example.com Sun Mar 21 02:35:39 2021
Received: from ir0rm-7.ampr.org by i0ojj.ampr.org (JNOS2.0m.5G) with SMTP
id AA146680 ; Sun, 21 Mar 2021 02:35:39 +0100
>From: Gustavo Ponza <firstname.lastname@example.org>
Organization: SICD Rome
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Content-Type: text/plain; charset=utf-8; format=flowed
Hi Maiko and all,
On 3/20/21 9:39 PM, ve4klm@ve4klm.#wpg.mb.can.noam wrote:
> R:210320/2043Z @:VE2PKT.#TRV.QC.CAN.NOAM #:43128 $:A0DAC_VE4KLM
> R:210320/2042Z 59913@K5DAT.#CWI.WI.USA.NOAM LinBPQ6.0.21
> R:210320/2040z @:N2NOV.#RICH.NY.USA.NOAM $:A0DAC_VE4KLM
> R:210320/2039z @:VE4KLM.#WPG.MB.CAN.NOAM [Winnipeg] $:A0DAC_VE4KLM
>>From email@example.com Sat Mar 20 16:40:39 2021
> Received: from n2nov.ampr.org by n2nov.ampr.org (JNOS2.0m.5F) with SMTP
> id AA201951 ; Sat, 20 Mar 2021 16:40:39 EDT
> Message-Id: <A0DAC_VE4KLM@ve4klm.bbs>
>> From: ve4klm@ve4klm.#wpg.mb.can.noam
> X-JNOS-User-Port: Uplink (VE4KLM on port axipv) -> Sending message
> Good day,
> What I originally thought was DNS attacks, seem to be more a case of
> JNOS querying
> some DNS server, and getting a malformed response, looks like it
> anyways. Thanks to
> Jean for the PI time and allowing me access, and Janusz for his gdb
> reports and such.
> It does happen, sometimes it suggests networking issues or other
> factors, I'm not an
> expert on what causes malformed responses, outside of malicious activity
> ... so at the
> same time if you see 'malformed dns packet' it doesn't mean the firewall
> should come
> out right away ? any experts out there to add to this or correct my
> train of thought ?
> I have a patch (technically very simple, checking qdcount for starters)
> that should be a
> big help in stopping JNOS from crashing on most malformed DNS packets. I
> the reports I hear from time to time about JNOS crashing all the time,
> could very well
> be because of this DNS issue. Seems to be more prevalent these days I hear.
> You can rsync (if you already do) or you can download specific patch below :
> It contains domhdr.c, domain.[ch], most of those have not changed for
> eons, so you can
> probably work them into any version of JNOS from the past few years or
> so. Make sure,
> and do a diff just to be on the safe side. I have also improved the
> error logging for some
> of the DNS packet functions. If you get a malformed packet, logfile will
> now say so, and
> you should see the IP address of the server in question.
> This is the first fix, I'm sure it will get refined over time.
> Maiko / VE4KLM
Very often by 'tcpdump' the tun0 I can see several repeated
'unknown protocol' from linux and jnos2... but it perhaps is
related to the proto (93).
Good about the whole rsync download and recompile is that
I can safely #undef the vara and the winrpr drivers and
get the normal steady rock jnos2 work.
Not so good: the MBOX SID report since it is sometimes
messed-up: see the following example:
a. wrong report.
obcm 01:42:25 18.104.22.168:6300
b. right report
i0ojj 01:51:48 I0OJJ-2 on port hub
Then the string 'Auth ....' introduced in this last days
is disappeared... and perhaps (since I'm sleeping) the
MFA excluded line, too... :)
73 and ciao, gustavo i0ojj/ir0aab/ir0eq
non multa, sed multum
Read previous mail | Read next mail