[Bro] Lying about DNS yields interesting bro entries

Andrew Smith andrew.william.smith at gmail.com
Tue Feb 2 11:31:36 PST 2016


It looks unlikely that Bro missed the request based on the hostname in the
query.

That looks like the DNS server is getting attacked with a spoofed DNS query
flood, and is sending DNS responses to the spoofed addresses, and one of
the spoofed addresses just happened to be one of James' IPs, so Bro is
really seeing a response that it didn't see a request for, because the
request came from some attacker out on the Internet. In other words, it's
backscatter from someone else being attacked.

The hostname in the query looks like it's has extra randomized text
prepended to an actual hostname to avoid caches and to cause as much load
on the DNS server as possible.

On Tue, Feb 2, 2016 at 12:56 PM, anthony kasza <anthony.kasza at gmail.com>
wrote:

> It sounds like the oddness is around the orig_h and resp_h of unmatched
> replies.
> Which system originated a connection of an unmatched DNS reply? That begs
> the question: was the reply unsolicited or did Bro miss the request?
>
> -AK
> On Feb 2, 2016 9:18 AM, "James Lay" <jlay at slave-tothe-box.net> wrote:
>
>> On 2016-02-02 09:20, Seth Hall wrote:
>> >> On Feb 1, 2016, at 6:31 PM, James Lay <jlay at slave-tothe-box.net>
>> >> wrote:
>> >>
>> >> I guess my question is, is this desired behavior?  I see the
>> >> dns_unmatched_reply, but it seems the first two entries never
>> >> happened...so should they be there?  Thanks...more of a curious
>> >> question
>> >> more than anything else.
>> >
>> > Which two entries are you referring to?  This looks correct to me.  It
>> > looks like you saw a stray DNS response message, but there was no
>> > query.
>> >
>> >   .Seth
>> >
>> > --
>> > Seth Hall
>> > International Computer Science Institute
>> > (Bro) because everyone has a network
>> > http://www.bro.org/
>>
>> Hi Seth,
>>
>> Pretty sure this is me missing something first off.  But to be honest
>> all the entries:
>>
>> 2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53      udp
>>      dns     -       -       -       SHR     T      F0       d       0
>>     0       1       73      (empty)
>> 2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53      udp
>>      21365   -       -       -       -       -      2SERVFAIL        F
>>     F       F       F       0       -       -       T
>> 2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53
>> dns_unmatched_reply     -       F       bro
>>
>>
>> The above says to me "x.x.x.x sent data to 65.113.230.90 on port 53, and
>> got a servfail response, and this was actually an unmatched dns
>> response".  But in reality, this is what happened:
>>
>> 2016-02-01T08:48:12-0700  65.113.230.90    53   x.x.x.x    420
>> dns_unmatched_reply     -       F       bro
>>
>> 65.113.230.90 was the id.orig_h, not x.x.x.x, but as I read the first
>> three they state that x.x.x.x was the id.orig_h.  But in fact per this
>> drop:
>>
>> Feb  1 08:48:12 kernel: [157335.232732] IN=ppp0 OUT= MAC=
>> SRC=65.113.230.90 DST=x.x.x.x LEN=73 TOS=0x00 PREC=0x00 TTL=249 ID=23786
>> PROTO=UDP SPT=53 DPT=420 LEN=53
>>
>> x.x.x.x did not send any traffic to 65.113.230.90, even though conn,
>> dns, and weird.  As I look at it though, I think it's me needing to get
>> over reading left to right with Bro :)  Thanks Seth...hope that makes
>> sense.
>>
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160202/7503f7bb/attachment.html 


More information about the Bro mailing list