review of dns malicious traffic check of datacon

Author: 0x584a (member of the author team of Xin'an Road)

First of all, I gave up the second question directly. For me, the algorithm lost my hair and gave up decisively. After all, it's not the time to answer the questions now. If there is any error in the analysis below, please leave a message for correction. Thank you!

This is a review of the first question in the DNS direction of the DATACON competition. The opening meeting was busy, so I didn't participate in it. Now I will try to solve these problems when the time is a little loose, especially when I go to the X-day white hat conference. President Wu said that there is a huge gap in the current analysis and response personnel, so it's no harm to master more analysis ability.

After decompressing the first question, the data package is quite large 2.6g, so it is necessary to subcontract.

Simulate the attack analysis process of network administrator. There are five kinds of DNS attack traffic in the given traffic. The contestants need to accurately determine five DNS attacks and indicate that those packets in the pcap file are attack traffic.

Pay attention to the key points in the topic. We need to find out five kinds of DNS attacks, and indicate which kind of attacks those data are.

First, load with Wireshark, check the IO chart to see the highest frequency time period, and divide the groups into a new pcap package for subsequent analysis. (filter rule Q1 [final. Pcap is always stuck)

My range is 3812183-4748606

3812183-4748606

Next, let's count the servers, the most requested protocols, packet sizes, etc.

Protocol classification

It can be seen that the cut-out packets only have DNS protocol, and the proportion of packets sent by users is the largest.

Packet length

As you can see from the packet length, there are many packets larger than 1000 that need to be analyzed.

Basic knowledge supplement

A DNS resolution query request and response:

In order to resolve the query request and 53 to respond to the request, UDP protocol is used, so that the DNS server load is lower and the response is faster.

DNS uses TCP protocol for zone transmission and UDP protocol for other times. Since it is UDP protocol, we should know that the source address of UDP can be forged, right? In this way, there may be reflection DoS attacks

Reference: memcached UDP DOS replication

https://www.jgeek.cn/archive/id/22.html

DNS subdomain explosion

First, make complaints about the highest number of IP requests. Here, Wireshark is really slow and half a hour is only a few percent.

But with the command of tshark, it's much faster.

tshark -r timeTop.pcap -T fields -e ip.src -e ip.dst | tr "\t" "\n" | sort | uniq -c | sort -nr

The first IP 45.80.170.1 can be excluded. It should correspond to a DNS service ns2.c76e40.net.

ns2.c76e40.net

Therefore, we found that the prefix of domain name in info is very abnormal and large through the plug selection of 144.202.64.226, so it belongs to the sub domain explosion.

144.202.64.226

DNS amplification DDoS attack

UDP is a stateless and connectionless transport protocol. The attacker can forge an IP address of the attacker, request the target server that can be used, and return the data to the attacker after the target server gets the response, thus forming a DDoS attack.

In DNS resolution, many packets must be returned using any, so the returned packets may be very large. That is, dig @ 114.114.114.114 any baidu.cn

dig @114.114.114.114 ANY baidu.cn

In this way, the DNS service response data is filtered out. Next, we will find the request data initiated by the attacker. We need to know that those DNS servers support recursion and those do not.

Next, exclude DNS servers that do not support any, that is, referred (see Appendix: dns.qry.type list, or Wikipedia):

So there are 71.85.232.160, 127.130.104.152 and 105.191.150.205 left.

This is an interesting thing. When referring to a little idea of reflecting DDoS attack defense,

https://www.freebuf.com/column/138163.html

The author found that when he queries any, he will not return more than 3000 response packets, but there is truncation. Finally, it is found that the DNS extension mechanism (edns0) and UDP payload size can be used in the source request to specify the length of the returned specified message.

Therefore, through dns.rr.udp ﹣ payload ﹣ size filtering, we can determine which attack requests are:

Interestingly, new attack types were found when filtering types

Illegal dynamic update

Check [dynamic update response], which means dynamic update.

Unsafe dynamic update: with the emergence of Dynamic Host Configuration Protocol (DHCP), the client computer dynamically assigns IP address by DHCP server, which makes it difficult to manually update its a (address) record and PTR (reverse resolution) record. Therefore, the dynamic update of DNS is proposed in the draft rfc2136 standard, so that DNS clients can use DNS server to register and dynamically update their resource records at any time when the IP address or name changes. Although the DNS dynamic update protocol stipulates that only authorized hosts can dynamically update the server's zone file, attackers can still use IP spoofing to disguise as a host trusted by the DNS server to add, delete and replace zone data.

The total number of dynamic updates initiated is 5055.

Domain delivery vulnerability

This is relatively easy to detect, including ixfr and AXFR:

As you can see, the request is concentrated on IP 96.199.230.176, so the number of times it is initiated can be calculated.

DNSSEC domain name traversal (enumeration)

In the end, I can't find out. After a long time, the attack types of DNS in Google are the same as those in the above four types. I can't help but find your master's writeup.

DataCon 9102: DNS Analysis, THU Team 1

https://github.com/shyoshyo/Datacon-9102-DNS

At first, I was confused. Why is this an attack? Because I also see it in timetop.pcap, that is to say, the returned data packet contains the dotted public key string, and reflection is not counted.

Until I read the big guy's script: q1.sh:

https://github.com/shyoshyo/DataCon-9102-DNS/blob/master/src/q1.sh

Well, I'm a real faggot

The prefix of domain name with asterisk is also drunk

summary

1. 0 is a basic introduction to DNS. It used to stay at the level of knowledge

2. Better understanding of DNS protocol and attack scenario

3. I have learned the same solution and thinking of the big guys and immortals

In fact, there is everything in this DNS statistics. At first, how could I not find it so easy to use?

Frequently used fields

Dns.qry.type list

Reference resources

Wireshark tips

http://blog.nsfocus.net/wireshark-tips/

What is the process of DNS resolution

https://www.zhihu.com/question/23042131

Types of DDNS attacks that DNS servers can suffer

https://www.cnblogs.com/cobbliu/p/3383135.html

Reflection on DDoS attack defense