Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Do you have some DNS requests/replies you could share?

Published: 2014-06-25
Last Updated: 2014-06-25 02:03:20 UTC
by Mark Hofman (Version: 1)
2 comment(s)

Looking at DNS traffic it looks like it has been a busy month, but traffic seems to have dropped off. 

port 53 as a target has dropped off and during June there was an increase in traffic with a source port of 53. Something that we've seen on various IDS.  We either see one of two types of packets.  A request for any for a particular domain with the packet size set to 65535 and a spoofed source IP (i.e. the target).  So that accounts for the traffic to port 53.  

The second types of requests we see is from port 53.  Typically with a random source ports and typically to a number of servers in the target network.  The only thing that changes is often the queryid.  So these are likely attempts to poison the cache.  

The third type we see are DNS requests to check for open resolvers and a final type of query we see a lot of are DNS queries with HTTP elements in the traffic.  

There are a few things I'm interested in.  What caused the drop off for port 53 as the target.  What DNS queries are you seeing targetting your environment?  and if you can share, I'd be interested in the actual request itself.  


Mark H

2 comment(s)
Diary Archives