[Bro] Lying about DNS yields interesting bro entries

James Lay jlay at slave-tothe-box.net
Tue Feb 2 11:16:34 PST 2016


Hi Anthony, 

I should first preface the whole reason I started down this path was
because I find that a fair amount of firewall hits I see are on port
420, so I started packet capturing for udp port 420, and that's when I
started to notice this.  So here's what Bro showed for the IP of
65.113.230.90: 

2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53      udp
    dns     -       -       -       SHR     T      F0       d       0   
   0       1       73      (empty)
 2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53     
udp     21365   -       -       -       -       -      2SERVFAIL       
F       F       F       F       0       -       -       T
 2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53     
dns_unmatched_reply     -       F       bro 

 The packet capture showed this: 
2016-02-01 08:48:12.311086633 65.113.230.90 -> x.x.x.x DNS 89 Standard
query response 0x5375 Server failure A otqxwnenalwb.www.1818my[.]com [1]
< [] added by me

 And syslog shows the dropped packet:
 Feb  1 08:48:12 kernel: [157335.232732] IN=ppp0 OUT= MAC=
SRC=65.113.230.90 DST=x.x.x.x LEN=73 TOS=0x00 PREC=0x00 TTL=249 ID=23786
PROTO=UDP SPT=53 DPT=420 LEN=53 

I believe all these replies are unsolicited..here's more info from the
pcap: 

  1 2016-02-01 07:27:04.816315071 162.227.35.49 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xec.www.1818my.com
  2 2016-02-01 07:29:06.691950594 69.165.170.13 -> x.x.x.x DNS 86
Standard query response 0x5375 Server failure A hdjxvefrc.www.1818my.com
  3 2016-02-01 07:43:15.851708630 77.245.146.9 -> x.x.x.x DNS 78
Standard query response 0x5375 Server failure A x.www.1818my.com
  4 2016-02-01 07:58:16.362832986 185.37.170.75 -> x.x.x.x DNS 84
Standard query response 0x5375 Server failure A mvaakbx.www.1818my.com
  5 2016-02-01 08:21:34.161432864 200.66.71.204 -> x.x.x.x DNS 91
Standard query response 0x5375 Server failure A
qpohqpuhyhydkx.www.1818my.com
  6 2016-02-01 08:34:15.116312435 177.38.182.14 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xba.www.1818my.com
  7 2016-02-01 08:46:06.804898711 180.166.211.154 -> x.x.x.x DNS 89
Standard query response 0x5375 Server failure A
cnmxiditebuh.www.1818my.com
  8 2016-02-01 08:48:12.311086633 65.113.230.90 -> x.x.x.x DNS 89
Standard query response 0x5375 Server failure A
otqxwnenalwb.www.1818my.com
  9 2016-02-01 09:50:28.034713107 86.53.30.145 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xbd.www.1818my.com
 10 2016-02-01 10:45:33.406354013 189.36.206.166 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A zavyx.www.1818my.com
 11 2016-02-01 10:51:52.599903143 188.64.112.107 -> x.x.x.x DNS 78
Standard query response 0x5375 Server failure A x.www.1818my.com
 12 2016-02-01 10:55:32.267107992  66.79.47.97 -> x.x.x.x DNS 90
Standard query response 0x5375 Server failure A
nocdefghvwxym.www.1818my.com
 13 2016-02-01 11:30:22.634179669 41.223.176.254 -> x.x.x.x DNS 88
Standard query response 0x5375 Server failure A
yzxeuexhebp.www.1818my.com
 14 2016-02-01 11:37:14.661145722 209.200.125.113 -> x.x.x.x DNS 91
Standard query response 0x5375 Server failure A
edgjgdehunglcx.www.1818my.com
 15 2016-02-01 12:27:23.082648045 110.45.190.78 -> x.x.x.x DNS 93
Standard query response 0x5375 Server failure A
epgxahchmlejcbgn.www.1818my.com
 16 2016-02-01 12:48:26.354106148 195.208.51.100 -> x.x.x.x DNS 90
Standard query response 0x5375 Server failure A
nbcdefguvwxlz.www.1818my.com
 17 2016-02-01 13:21:15.031248372 38.100.165.4 -> x.x.x.x DNS 90
Standard query response 0x5375 Server failure A
nbcqesguijxlm.www.1818my.com
 18 2016-02-01 13:24:04.308343363 117.204.35.201 -> x.x.x.x DNS 78
Standard query response 0x5375 Server failure A x.www.1818my.com
 19 2016-02-01 13:47:54.805174964 216.227.105.205 -> x.x.x.x DNS 158
Standard query response 0x5375 No such name A gaxavkciclt.www.1818my.com
SOA rad0.elltel.net
 20 2016-02-01 13:55:47.810864539 208.106.155.144 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A craxx.www.1818my.com
 21 2016-02-01 14:03:28.220225897 120.151.219.248 -> x.x.x.x DNS 89
Standard query response 0x5375 Server failure A
uzuxwlodybgn.www.1818my.com
 22 2016-02-01 14:30:31.689614428 40.134.192.119 -> x.x.x.x DNS 108
Standard query response 0x5375 A mamzjnvojxeopzr.www.1818my.com A
127.123.45.67
 23 2016-02-01 15:04:36.756997582 219.163.72.226 -> x.x.x.x DNS 80
Standard query response 0x5375 Refused A xoo.www.1818my.com
 24 2016-02-01 16:10:37.693277685 198.71.54.86 -> x.x.x.x DNS 78
Standard query response 0x5375 Refused A x.www.1818my.com
 25 2016-02-01 16:23:06.072114319 95.79.36.228 -> x.x.x.x DNS 86
Standard query response 0x5375 Server failure A xqzxqckbl.www.1818my.com
 26 2016-02-01 16:44:48.085836197 86.62.78.132 -> x.x.x.x DNS 93
Standard query response 0x5375 Server failure A
cjmxkxwvixoxmdoj.www.1818my.com
 27 2016-02-01 16:45:53.057522907 110.137.88.41 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xzi.www.1818my.com
 28 2016-02-01 17:49:34.389252897 46.10.71.248 -> x.x.x.x DNS 80
Standard query response 0x5375 Server failure A xrz.www.1818my.com
 29 2016-02-01 18:13:04.732047378 192.198.208.163 -> x.x.x.x DNS 90
Standard query response 0x5375 Server failure A
abpdrsguijxlm.www.1818my.com
 31 2016-02-01 20:07:53.110496413  60.6.223.26 -> x.x.x.x DNS 107
Standard query response 0x5375 A ifoxmncxspsxkx.www.1818my.com A
127.0.0.1
 32 2016-02-01 23:41:16.181497169 84.120.111.129 -> x.x.x.x DNS 89
Standard query response 0x5375 Server failure A
ahcxsfedofit.www.1818my.com
 33 2016-02-02 00:04:54.704232888 68.153.208.145 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
zscwrvdouxlhhkb.www.1818my.com
 34 2016-02-02 00:22:04.204288331 188.171.5.71 -> x.x.x.x DNS 91
Standard query response 0xc737 Server failure A
cxyvqralibkjux.www.1818my.com[Malformed Packet]
 35 2016-02-02 00:23:21.751179271  60.2.46.214 -> x.x.x.x DNS 94
Standard query response 0x5375 A x.www.1818my.com A 127.0.0.1
 36 2016-02-02 00:31:50.457266962 202.4.227.99 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A goylx.www.1818my.com
 37 2016-02-02 01:25:38.118660850 77.85.169.52 -> x.x.x.x DNS 91
Standard query response 0x5375 Server failure A
czipcjorufyxgx.www.1818my.com
 38 2016-02-02 01:28:33.637461325 210.227.116.101 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
ezcuarfwvxdotau.www.1818my.com
 39 2016-02-02 01:55:14.214997203 220.157.103.38 -> x.x.x.x DNS 88
Standard query response 0x5375 Server failure A
lixgvrowxjb.www.1818my.com
 40 2016-02-02 02:02:32.277401732 207.30.133.65 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
nfwnvkmqpxxjbof.www.1818my.com
 41 2016-02-02 02:55:41.387701175 50.240.13.113 -> x.x.x.x DNS 80
Standard query response 0x5375 Refused A xji.www.1818my.com
 42 2016-02-02 03:04:08.783792035 203.115.19.200 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
npcmbhqulxaxrzm.www.1818my.com
 44 2016-02-02 03:43:48.400021981 94.229.95.156 -> x.x.x.x DNS 88
Standard query response 0x5375 Server failure A
gdxypnfowcc.www.1818my.com
133 2016-02-02 10:24:15.482620371 101.99.20.163 -> x.x.x.x DNS 92
Standard query response 0x5375 Server failure A
jqysdilejxcznxr.www.1818my.com
134 2016-02-02 10:38:53.528569603 90.154.197.253 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A uacvx.www.1818my.com
135 2016-02-02 10:51:19.133470580 86.102.168.66 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A lxxax.www.1818my.com
136 2016-02-02 10:56:28.214752509 163.23.118.1 -> x.x.x.x DNS 86
Standard query response 0x5375 Refused A fmhxnyfya.www.1818my.com
137 2016-02-02 10:56:48.808973842  193.8.47.24 -> x.x.x.x DNS 82
Standard query response 0x5375 Server failure A mdhyx.www.1818my.com
138 2016-02-02 11:34:38.020879046 193.106.93.233 -> x.x.x.x DNS 78
Standard query response 0x5375 Server failure A x.www.1818my.com

Of interest is that every single one of these is source from 53, and
destination is 420, which is why they continue to get dropped at my
firewall.  Very curious.  I'm going to switch the capture to full on dns
and see what comes up.  More to come...thank you. 

James 

On 2016-02-02 11:56, anthony kasza wrote: 

> It sounds like the oddness is around the orig_h and resp_h of
> unmatched replies.
> Which system originated a connection of an unmatched DNS reply? That
> begs the question: was the reply unsolicited or did Bro miss the
> request? 
> 
> -AK
> 
> On Feb 2, 2016 9:18 AM, "James Lay" <jlay at slave-tothe-box.net> wrote:
> 
> On 2016-02-02 09:20, Seth Hall wrote: On Feb 1, 2016, at 6:31 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
> 
> I guess my question is, is this desired behavior?  I see the
> dns_unmatched_reply, but it seems the first two entries never
> happened...so should they be there?  Thanks...more of a curious
> question
> more than anything else. 
> Which two entries are you referring to?  This looks correct to me.
 It 

> looks like you saw a stray DNS response message, but there was no
> query.
> 
> .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

Hi Seth,

Pretty sure this is me missing something first off.  But to be
honest
all the entries:

2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53
udp
dns     -       -       -       SHR     T      F0       d
0
0       1       73      (empty)
2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53
udp
21365   -       -       -       -       -      2SERVFAIL
F
F       F       F       0       -       -       T
2016-02-01T08:48:12-0700  x.x.x.x    420     65.113.230.90   53
dns_unmatched_reply     -       F       bro

The above says to me "x.x.x.x sent data to 65.113.230.90 on port 53,
and
got a servfail response, and this was actually an unmatched dns
response".  But in reality, this is what happened:

2016-02-01T08:48:12-0700  65.113.230.90    53   x.x.x.x    420
dns_unmatched_reply     -       F       bro

65.113.230.90 was the id.orig_h, not x.x.x.x, but as I read the
first
three they state that x.x.x.x was the id.orig_h.  But in fact per
this
drop:

Feb  1 08:48:12 kernel: [157335.232732] IN=ppp0 OUT= MAC=
SRC=65.113.230.90 DST=x.x.x.x LEN=73 TOS=0x00 PREC=0x00 TTL=249
ID=23786
PROTO=UDP SPT=53 DPT=420 LEN=53

x.x.x.x did not send any traffic to 65.113.230.90, even though conn,
dns, and weird.  As I look at it though, I think it's me needing to
get
over reading left to right with Bro :)  Thanks Seth...hope that
makes
sense.

James
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro 

Links:
------
[1] http://www.1818my[.]com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160202/83948250/attachment-0001.html 


More information about the Bro mailing list