Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Watching those DNS logs

Published: 2008-08-05
Last Updated: 2008-08-05 22:43:06 UTC
by Daniel Wesemann (Version: 3)
0 comment(s)

Among the frantic activity to get all the DNS resolvers patched, very little has been said on how to be on the lookout for DNS poisoning attempts. Irrespective of the attack details, the two possible scenarios seem to be
(1) someone attacks a DNS resolver/forwarder of yours
(2) someone attacks a remote resolver/forwarder to poison a domain you own
The impact of the first scenario would be to draw your own users from, say, google.com to an evil incarnation instead. The impact of the second scenario would be that a customer of yours somewhere else on the world can no longer get to your services and is being redirected to or through an evil third party. The first scenario is what you patched your resolvers against - for the second scenario, you have to hope that all your customers are patched. If you are, for example, a retail bank with a nationwide online presence, chances are that not all your clients (or rather their ISPs) are patched and safe.

From the attack details that have so far been disclosed, scenario (2) involves a high number of queries for bogus names in the domain that you own. Your authoritative DNS server will respond with "NXDOMAIN" (no such domain) to all these requests, but every such query provides the attacker with a chance to inject a bogus reply to poison the querying resolver of your client's ISP.

Emergingthreats.net has a Snort rule (sid:2008470) to catch an excessive number of NXDOMAIN replies received by your resolver. This covers scenario (1). Scenario (2) would require a way to watch for a high number NXDOMAIN answers sent by your own authoritative DNS server. A quick check we made turned out that neither BIND9 nor MS-DNS seem to offer any easy way to log NXDOMAIN answers of your DNS server without going into debug-dump-it-all mode. The statistics collected by BIND keep track of sent NXDOMAIN records in the "SNXD" counter, but that's about it.

If you have any good suggestions on how to watch for a high number of queries for nonexisting hosts in your domain, or for a high number of NXDOMAIN replies leaving your DNS server, please let us know.

Update 1100UTC:   The tool "DSC" from DNS Measurement Factory was recommended as a means to chart what is going on with your DNS server.  Since this tool is based on grabbing DNS traffic via libpcap, it can easily be combined with a shadow-style pcap collector that only stores NXDOMAIN responses. Lacking direct NXDOMAIN logging support from within the DNS daemon itself, this combination seems like a good option.

tcpdump -s1514 -nX 'udp and port 53 and (udp[10] & 128 = 128) and (udp[11] & 3 = 3)'  captures DNS responses (QR bit set) with an RCODE of 3 (no such name). See RFC1035 for details on the DNS record format.

Update 1530UTC: One more tip that we got involves using "tshark" from the Wireshark package to quickly extract and analyze DNS oddities from a PCAP file. The command below results in a sortable list in "IP,domain-queried" format that can be easily post-processed from a shell script

tshark -t ad -e ip.dst -e dns.qry.name -E separator=, -T fields -nr new.pcap dns.flags.rcode == 3

Further, Snort users that subscribe to VRT rules can use SID 13948 and 13949 to watch for a high rate of NXDOMAIN responses.

Keywords: dns logs
0 comment(s)

The news update you never asked for

Published: 2008-08-05
Last Updated: 2008-08-05 00:45:33 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)

If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!

Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustotal.com/analisis/258fbdfb7eb6ecfedbf236533b03c945

The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to listen, but about 50 of them currently resolve to 200.46.83.233.  That's in Panama.

Keywords: malware spam
3 comment(s)
Diary Archives