[Bro] Lying about DNS yields interesting bro entries
James Lay
jlay at slave-tothe-box.net
Tue Feb 2 17:50:04 PST 2016
On Tue, 2016-02-02 at 14:44 -0500, Seth Hall wrote:
> > On Feb 2, 2016, at 2:31 PM, Andrew Smith <andrew.william.smith at gmail.com> wrote:
> >
> > That looks like the DNS server is getting attacked with a spoofed DNS query flood, and is sending DNS responses to the spoofed addresses, and one of the spoofed addresses just happened to be one of James' IPs, so Bro is really seeing a response that it didn't see a request for, because the request came from some attacker out on the Internet. In other words, it's backscatter from someone else being attacked.
>
> Yep, I believe that's exactly right. Bro is also (correctly) flipping the connection around which you can see in the conn.log because the originator of the "connection" never sent any packets.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Ok cool....we are all in agreement that this is an unsolicited DNS
response. However...wouldn't this:
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
udp dns - - - SHR T F0 d
0 0 1 73 (empty)
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
udp 21365 - - - - - 2SERVFAIL
F F F F 0 - - T
2016-02-01T08:48:12-0700 x.x.x.x 420 65.113.230.90 53
dns_unmatched_reply - F bro
be something instead like this (the below is a made up entry):
2016-02-01T08:48:12-0700 65.113.230.90 420 x.x.x.x 53
dns_unmatched_reply - F bro
Not trying to beat a dead horse here...just trying to understand how Bro
is treating a DNS response that it never saw requested. Thanks all.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160202/14af547c/attachment.html
More information about the Bro
mailing list