[Bro] Lying about DNS yields interesting bro entries
Seth Hall
seth at icir.org
Tue Feb 2 11:44:38 PST 2016
> On Feb 2, 2016, at 2:31 PM, Andrew Smith <andrew.william.smith at gmail.com> wrote:
>
> That looks like the DNS server is getting attacked with a spoofed DNS query flood, and is sending DNS responses to the spoofed addresses, and one of the spoofed addresses just happened to be one of James' IPs, so Bro is really seeing a response that it didn't see a request for, because the request came from some attacker out on the Internet. In other words, it's backscatter from someone else being attacked.
Yep, I believe that's exactly right. Bro is also (correctly) flipping the connection around which you can see in the conn.log because the originator of the "connection" never sent any packets.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list