[Bro] Lying about DNS yields interesting bro entries
James Lay
jlay at slave-tothe-box.net
Tue Feb 2 11:16:34 PST 2016
Hi Anthony,
I should first preface the whole reason I started down this path was
because I find that a fair amount of firewall hits I see are on port
420, so I started packet capturing for udp port 420, and that's when I
started to notice this. So here's what Bro showed for the IP of
65.113.230.90:
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53 udp
dns - - - SHR T F0 d 0
0 1 73 (empty)
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
udp 21365 - - - - - 2SERVFAIL
F F F F 0 - - T
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
dns_unmatched_reply - F bro
The packet capture showed this:
2016-02-01 08:48:12.311086633 65.113.230.90 -> x.x.x.x DNS 89 Standard
query response 0x5375 Server failure A otqxwnenalwb.www.1818my[.]com [1]
< [] added by me
And syslog shows the dropped packet:
Feb 1 08:48:12 kernel: [157335.232732] IN=ppp0 OUT= MAC=
SRC=65.113.230.90 DST=x.x.x.x LEN=73 TOS=0x00 PREC=0x00 TTL=249 ID=23786
PROTO=UDP SPT=53 DPT=420 LEN=53
I believe all these replies are unsolicited..here's more info from the
pcap:
1 2016-02-01 07:27:04.816315071 162.227.35.49 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xec.www.1818my.com
2 2016-02-01 07:29:06.691950594 69.165.170.13 -> x.x.x.x DNS 86
Standard query response 0x5375 Server failure A hdjxvefrc.www.1818my.com
3 2016-02-01 07:43:15.851708630 77.245.146.9 -> x.x.x.x DNS 78
Standard query response 0x5375 Server failure A x.www.1818my.com
4 2016-02-01 07:58:16.362832986 185.37.170.75 -> x.x.x.x DNS 84
Standard query response 0x5375 Server failure A mvaakbx.www.1818my.com
5 2016-02-01 08:21:34.161432864 200.66.71.204 -> x.x.x.x DNS 91
Standard query response 0x5375 Server failure A
qpohqpuhyhydkx.www.1818my.com
6 2016-02-01 08:34:15.116312435 177.38.182.14 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xba.www.1818my.com
7 2016-02-01 08:46:06.804898711 180.166.211.154 -> x.x.x.x DNS 89
Standard query response 0x5375 Server failure A
cnmxiditebuh.www.1818my.com
8 2016-02-01 08:48:12.311086633 65.113.230.90 -> x.x.x.x DNS 89
Standard query response 0x5375 Server failure A
otqxwnenalwb.www.1818my.com
9 2016-02-01 09:50:28.034713107 86.53.30.145 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xbd.www.1818my.com
10 2016-02-01 10:45:33.406354013 189.36.206.166 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A zavyx.www.1818my.com
11 2016-02-01 10:51:52.599903143 188.64.112.107 -> x.x.x.x DNS 78
Standard query response 0x5375 Server failure A x.www.1818my.com
12 2016-02-01 10:55:32.267107992 66.79.47.97 -> x.x.x.x DNS 90
Standard query response 0x5375 Server failure A
nocdefghvwxym.www.1818my.com
13 2016-02-01 11:30:22.634179669 41.223.176.254 -> x.x.x.x DNS 88
Standard query response 0x5375 Server failure A
yzxeuexhebp.www.1818my.com
14 2016-02-01 11:37:14.661145722 209.200.125.113 -> x.x.x.x DNS 91
Standard query response 0x5375 Server failure A
edgjgdehunglcx.www.1818my.com
15 2016-02-01 12:27:23.082648045 110.45.190.78 -> x.x.x.x DNS 93
Standard query response 0x5375 Server failure A
epgxahchmlejcbgn.www.1818my.com
16 2016-02-01 12:48:26.354106148 195.208.51.100 -> x.x.x.x DNS 90
Standard query response 0x5375 Server failure A
nbcdefguvwxlz.www.1818my.com
17 2016-02-01 13:21:15.031248372 38.100.165.4 -> x.x.x.x DNS 90
Standard query response 0x5375 Server failure A
nbcqesguijxlm.www.1818my.com
18 2016-02-01 13:24:04.308343363 117.204.35.201 -> x.x.x.x DNS 78
Standard query response 0x5375 Server failure A x.www.1818my.com
19 2016-02-01 13:47:54.805174964 216.227.105.205 -> x.x.x.x DNS 158
Standard query response 0x5375 No such name A gaxavkciclt.www.1818my.com
SOA rad0.elltel.net
20 2016-02-01 13:55:47.810864539 208.106.155.144 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A craxx.www.1818my.com
21 2016-02-01 14:03:28.220225897 120.151.219.248 -> x.x.x.x DNS 89
Standard query response 0x5375 Server failure A
uzuxwlodybgn.www.1818my.com
22 2016-02-01 14:30:31.689614428 40.134.192.119 -> x.x.x.x DNS 108
Standard query response 0x5375 A mamzjnvojxeopzr.www.1818my.com A
127.123.45.67
23 2016-02-01 15:04:36.756997582 219.163.72.226 -> x.x.x.x DNS 80
Standard query response 0x5375 Refused A xoo.www.1818my.com
24 2016-02-01 16:10:37.693277685 198.71.54.86 -> x.x.x.x DNS 78
Standard query response 0x5375 Refused A x.www.1818my.com
25 2016-02-01 16:23:06.072114319 95.79.36.228 -> x.x.x.x DNS 86
Standard query response 0x5375 Server failure A xqzxqckbl.www.1818my.com
26 2016-02-01 16:44:48.085836197 86.62.78.132 -> x.x.x.x DNS 93
Standard query response 0x5375 Server failure A
cjmxkxwvixoxmdoj.www.1818my.com
27 2016-02-01 16:45:53.057522907 110.137.88.41 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xzi.www.1818my.com
28 2016-02-01 17:49:34.389252897 46.10.71.248 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xrz.www.1818my.com
29 2016-02-01 18:13:04.732047378 192.198.208.163 -> x.x.x.x DNS 90
Standard query response 0x5375 Server failure A
abpdrsguijxlm.www.1818my.com
31 2016-02-01 20:07:53.110496413 60.6.223.26 -> x.x.x.x DNS 107
Standard query response 0x5375 A ifoxmncxspsxkx.www.1818my.com A
127.0.0.1
32 2016-02-01 23:41:16.181497169 84.120.111.129 -> x.x.x.x DNS 89
Standard query response 0x5375 Server failure A
ahcxsfedofit.www.1818my.com
33 2016-02-02 00:04:54.704232888 68.153.208.145 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
zscwrvdouxlhhkb.www.1818my.com
34 2016-02-02 00:22:04.204288331 188.171.5.71 -> x.x.x.x DNS 91
Standard query response 0xc737 Server failure A
cxyvqralibkjux.www.1818my.com[Malformed Packet]
35 2016-02-02 00:23:21.751179271 60.2.46.214 -> x.x.x.x DNS 94
Standard query response 0x5375 A x.www.1818my.com A 127.0.0.1
36 2016-02-02 00:31:50.457266962 202.4.227.99 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A goylx.www.1818my.com
37 2016-02-02 01:25:38.118660850 77.85.169.52 -> x.x.x.x DNS 91
Standard query response 0x5375 Server failure A
czipcjorufyxgx.www.1818my.com
38 2016-02-02 01:28:33.637461325 210.227.116.101 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
ezcuarfwvxdotau.www.1818my.com
39 2016-02-02 01:55:14.214997203 220.157.103.38 -> x.x.x.x DNS 88
Standard query response 0x5375 Server failure A
lixgvrowxjb.www.1818my.com
40 2016-02-02 02:02:32.277401732 207.30.133.65 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
nfwnvkmqpxxjbof.www.1818my.com
41 2016-02-02 02:55:41.387701175 50.240.13.113 -> x.x.x.x DNS 80
Standard query response 0x5375 Refused A xji.www.1818my.com
42 2016-02-02 03:04:08.783792035 203.115.19.200 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
npcmbhqulxaxrzm.www.1818my.com
44 2016-02-02 03:43:48.400021981 94.229.95.156 -> x.x.x.x DNS 88
Standard query response 0x5375 Server failure A
gdxypnfowcc.www.1818my.com
133 2016-02-02 10:24:15.482620371 101.99.20.163 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
jqysdilejxcznxr.www.1818my.com
134 2016-02-02 10:38:53.528569603 90.154.197.253 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A uacvx.www.1818my.com
135 2016-02-02 10:51:19.133470580 86.102.168.66 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A lxxax.www.1818my.com
136 2016-02-02 10:56:28.214752509 163.23.118.1 -> x.x.x.x DNS 86
Standard query response 0x5375 Refused A fmhxnyfya.www.1818my.com
137 2016-02-02 10:56:48.808973842 193.8.47.24 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A mdhyx.www.1818my.com
138 2016-02-02 11:34:38.020879046 193.106.93.233 -> x.x.x.x DNS 78
Standard query response 0x5375 Server failure A x.www.1818my.com
Of interest is that every single one of these is source from 53, and
destination is 420, which is why they continue to get dropped at my
firewall. Very curious. I'm going to switch the capture to full on dns
and see what comes up. More to come...thank you.
James
On 2016-02-02 11:56, anthony kasza wrote:
> It sounds like the oddness is around the orig_h and resp_h of
> unmatched replies.
> Which system originated a connection of an unmatched DNS reply? That
> begs the question: was the reply unsolicited or did Bro miss the
> request?
>
> -AK
>
> On Feb 2, 2016 9:18 AM, "James Lay" <jlay at slave-tothe-box.net> wrote:
>
> On 2016-02-02 09:20, Seth Hall wrote: On Feb 1, 2016, at 6:31 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
> I guess my question is, is this desired behavior? I see the
> dns_unmatched_reply, but it seems the first two entries never
> happened...so should they be there? Thanks...more of a curious
> question
> more than anything else.
> Which two entries are you referring to? This looks correct to me.
It
> looks like you saw a stray DNS response message, but there was no
> query.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Hi Seth,
Pretty sure this is me missing something first off. But to be
honest
all the entries:
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
udp
dns - - - SHR T F0 d
0
0 1 73 (empty)
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
udp
21365 - - - - - 2SERVFAIL
F
F F F 0 - - T
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
dns_unmatched_reply - F bro
The above says to me "x.x.x.x sent data to 65.113.230.90 on port 53,
and
got a servfail response, and this was actually an unmatched dns
response". But in reality, this is what happened:
2016-02-01T08:48:12-0700 65.113.230.90 53 x.x.x.x 420
dns_unmatched_reply - F bro
65.113.230.90 was the id.orig_h, not x.x.x.x, but as I read the
first
three they state that x.x.x.x was the id.orig_h. But in fact per
this
drop:
Feb 1 08:48:12 kernel: [157335.232732] IN=ppp0 OUT= MAC=
SRC=65.113.230.90 DST=x.x.x.x LEN=73 TOS=0x00 PREC=0x00 TTL=249
ID=23786
PROTO=UDP SPT=53 DPT=420 LEN=53
x.x.x.x did not send any traffic to 65.113.230.90, even though conn,
dns, and weird. As I look at it though, I think it's me needing to
get
over reading left to right with Bro :) Thanks Seth...hope that
makes
sense.
James
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Links:
------
[1] http://www.1818my[.]com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160202/83948250/attachment-0001.html
More information about the Bro
mailing list