[Bro] Connection History: "connection direction was flipped by Bro’s heuristic"

Azoff, Justin S jazoff at illinois.edu
Fri Apr 21 19:23:02 PDT 2017 

> On Apr 21, 2017, at 7:35 PM, Dave Crawford <bro at pingtrip.com> wrote:
> 
> What does the caret ("connection direction was flipped by Bro’s heuristic”) in a connections history mean? If the packet in question was spoofed (like the receiving end of a DNS amplification attack) would that trigger Bro’s heuristics?

Yes..

> 
> Below are entries from dns, conn and weird logs for the same event for which I can’t find any indications that it sourced from my network. Additionally, there are no subsequent connection attempts to the IP contained the response packet.
> 
> Dns.log
> 1491285594.163321       CFXfdl4zMQrM2T15Wa      <REDACTED>   57555   194.9.69.193    53      udp     21705   -       wfuvsrsrwb.www.91duofenxiang[.]com        -       -       -       -       0       NOERROR F       F       F       T       0       193.58.251[.]1    60.000000       F
> 
> Conn.log
> 1491285594.163321       CFXfdl4zMQrM2T15Wa      <REDACTED>   57555   194.9.69.193    53      udp     dns     -       -       -       SHR     T   ^d       0       0       1       94      (empty) PDC_NSM-4       US      RU
> 
> Weird.log
> 1491285604.163437       CFXfdl4zMQrM2T15Wa      <REDACTED>   57555   194.9.69.193    53      dns_unmatched_msg       -       F       PDC_NSM-4

It definitely wasn't sourced from your network.  You can see the numbers after the history field(^d) are:

orig_pkts=0
orig_ip_bytes=0
resp_pkts=1
resp_ip_bytes=94

which shows that bro saw that you sent 0 packets and received 1.

The issue is that you were sent a DNS response packet, which in a perfect world where carriers do proper ingress filtering would have only happened if you had sent the corresponding DNS query packet.  Bro assumes it didn't see the query due to capture loss and sets up the orig/resp under that assumption.

Unfortunately this doesn't work so well for backscatter, especially when dealing with UDP protocols.

It's easy enough to filter out connections like this to another log file if you wanted, generally anything with a local address as a source and resp_pkts=1 and orig_pkts=0 is from backscatter.

I've looked into fixing this inside of Bro, but the code that handles this sort of thing is a bit complicated.

-- 
- Justin Azoff

More information about the Bro mailing list