Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Identifying applications using UDP payload

Published: 2009-03-17
Last Updated: 2009-03-17 13:59:03 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

As requested in todays "stormcast", some readers/listeners sent in complete packet captures of suspect UDP traffic. One of the "nice" things about UDP attacks is that they sometimes only consist of a single packet, and the complete payload can be captured even if no connection is established. For TCP on the other hand, all you would see is a SYN packet with no payload if a firewall blocks the traffic.

Here are a couple patterns in traffic submitted so far. I will keep adding as we see more

- DNS traffic

One of the first giveaways that you are dealing with DNS is of course the fact that it uses port 53. But even without this, DNS is easy to spot. For example, consider the following traffic snippet (just use the -X option in tcpdump)

    0001 0002 000d 0000 0579 6168 6f6f 0363  .........yahoo.c     
    6f6d 0000 0100 01c0 0c00 0100 0100 001f  om..............

DNS host names are encoded using a simple "length" - "value" scheme. In the example above, you see

'5' (5 letters to follow), 'yahoo', '3' 'com', '0' (indicating the end). Yes there are tools that allow you to perform UDP scans using valid looking DNS payloads. This pattern is easy to spot even without firing up wireshark and usually is sufficient to move on to the next packet.

 - Bittorrent

Bittorrent traffic does not use fixed ports, which makes it harder to spot. There are also encryption options. However, if not encrypted, there are a couple of patterns you can look for, again simply with 'tcpdump -X -s0...'. Bittorent usually encodes strings as length:string. For example, you will see

    313a 7139 3a66 696e 645f 6e6f 6465 313a   1:q9:find_node1: 

In this sample, you see two strings: first the green part, a string of length 1 ('q'), then a string of length 9 ('find_node', in red). Followed by another string of 1 (cut off in the example above)...

 

Keep the captures coming and I will try to add more simple "patterns" to help you spot various applications.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: payloads udp
0 comment(s)
Diary Archives