DATACON DNS direction topic one internal test record.

subject

Data download link: https://804238.link.yunpan.360.cn/lk/surl yf3jspec9qf

Decompression password: 7K! Y $V1 + EJ. YH] = 4

Requirements for internal test questions:

1、 Basic DNS Security Issues

Title Introduction: players find security problems such as attacks around DNS through analysis in a given packet. The packet size of the contest is 2.6g.

Answer submission: the answer should include the IP address, time, end time and domain name list of the attack.

Result of competition

Analytical thinking

To investigate the DNS Security, we first look for the DNS security problems.

Main ideas:

• Attacker's thinking: search and collect the corresponding attack types, and detect according to the characteristics. Google nmap DNS attack plug-in Nessus DNS attack plug-in
• Google
• Nmap DNS attack plug-in
• Nessus DNS attack plug-in
• Defender's idea: snort Suricata
• Snort Suricata
• Snort
• Suricata

Difficulties and challenges

• Because of the large size of pcap packets, it is difficult to analyze directly with Wireshark, and the phenomenon of jam is very serious. Transfer to tshark, edipacp, Snort and Suricata for analysis
• Transfer to tshark, edipacp, Snort and Suricata for analysis
• In the case of no specific target, the overall analysis will be relatively tired and it is difficult to cover all common attacks. It mainly depends on the unknown attacks. There are too many kinds of attacks around DNS.
• In the case of background traffic, the attack may only exist for a few seconds, and the detection window will be relatively small.

Timeline

• 4 hours manual + script analysis + tool analysis are used to understand data set, pcap segmentation, UDP, TCP ratio, packet proportion, retransmission, DNS server IP, client IP, etc

4 hours manual + script analysis + tool analysis

Used to understand dataset, pcap segmentation, UDP, TCP ratio, packet proportion, retransmission, DNS server IP, client IP, etc

• 4-8 hours (learn the rules of tshark, Snort and Suricata, and make simple magic changes to snort and Suricata to meet the needs of the scene). Snort and Suricata are host IDS, which have the concept of internal IP network segment (home? Net). T | sort |Uniq - c|awk - f '' {if ($2 > = 0) print $2} '> ip.from defines and modifies snort rules. DNS attack detection is as follows: alert TCP $external_net any - > $home_net 53 (MSG: "DNS zone transfer TCP"; flow: to_server, established; content: "| 00 fc|; offset: 15; reference: arachnids, 212; reference: CVE, 1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;)alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;)

4-8 hours (learn the rules of tshark, Snort and Suricata, and make simple magic changes to snort and Suricata to meet the needs of the scene).

• Snort and Suricata are host IDS, which have the concept of internal IP network segment (home? Net). T | sort |uniq -c |awk -F ' ' '{if ($2>=0)print $2 }' > ip.from

Snort and Suricata are host IDS, which have the concept of internal IP network segment (home? Net).

• The target IP = 'of all queries is mapped to home ﹣ net tshark - R Q1 ﹣ final. Pcap - Y "DNS. Flags. Response = = 0" - t fields - e IP. DST | sort | uniq - C | awk - f' '{if ($2 > = 0) print $2}' > ip.dst

Target IP of all queries is mapped to home net

tshark -r q1_final.pcap -Y "dns.flags.response == 0" -T fields -e ip.dst |sort|uniq -c |awk -F ' ' '{if ($2>=0)print $2 }' > ip.dst

• Request IP for attack external IP tshark - R q1_final. Pcap - Y "DNS. Flags. Response = = 1" - t fields - e IP. DST | sort | uniq - C | awk - f '' {if ($2 > = 0) print $2} '> IP. From

Request IP as attack external IP

tshark -r q1_final.pcap -Y "dns.flags.response == 1" -T fields -e ip.dst |sort |uniq -c |awk -F ' ' '{if ($2>=0)print $2 }' > ip.from

• Define and modify snort rules to detect DNS attacks as follows: alert TCP $external_net any - > $home_net 53 (MSG: "DNS zone transfer TCP"; flow: to_server, established; content: "| 00 fc|; offset: 15; reference: arachnids, 212; reference: CVE, 1999-0532; reference: Nessus, 10595; classtype: attempted Recon; Sid: 255; Rev: 13; )alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;)

Define and modify snort rules to detect DNS attacks

As follows:

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;)

• Analyze all kinds of attacks and detect them (8 hours +)

Analyze all kinds of attacks and detect them (8 hours +)

Attack and detection

DNS cache poisoning or gateway hijacking

• The malicious attacker controls your gateway. When you send a request to find the IP address of freebuf.com, the man in the middle stops it and returns the IP address of a malicious website to you, Your browser will regard this IP as the IP of the domain you want to visit!! this IP is an interface built by the attacker to imitate the front-end interface of the target website. When you enter the user name, password or payment operation in this interface, you will be recruited.

freebuf.com

• Detection logic: in the case of non hijacking, under a certain network, the corresponding relationship between DNS domain name and IP address will remain stable to a certain extent. If we find that in a certain period of time, the IP address of a large domain name has been tampered to an IP collectively, then it is likely to be hijacked. (consider that after a period of time, the attack is suspended, and the IP returns to the original state.) globally count the corresponding relationship between domain and IP, and confirm its stability.
• In the case of non hijacking, the corresponding relationship between DNS domain name and IP address will be stable to a certain extent in a certain network. If we find that in a certain period of time, the IP address of a large domain name has been tampered to an IP collectively, then it is likely to be hijacked. (consider that after a period of time, the attack is suspended and the IP returns to its original state.)
• Global statistics of the corresponding relationship between domain and IP to confirm its stability.
• Detection results: no attack traffic is found. Preliminary analysis: use script to filter out the corresponding relationship between domain and IP, and observe whether there is jitter. The result is no jitter. Maybe there is a problem with the detection model, or there is no attack (tentatively the former)
• No preliminary analysis of attack traffic is found: use script to filter out the corresponding relationship between domain and IP, and observe whether there is jitter. The result is no jitter. Maybe there is a problem with the detection model, or there is no attack (tentatively the former)
• Preliminary analysis: use script to filter out the corresponding relationship between domain and IP, and observe whether there is jitter. The result is no jitter.
• Use the script to filter out the corresponding relationship between domain and IP, and observe whether there is jitter. The result is no jitter.
• Maybe there is a problem with the detection model, or there is no attack (tentatively the former)

DNS domain delivery vulnerability

• Generally, DNS zone transfer operation is only necessary when there is a backup domain name DNS server in the network. However, many DNS servers are wrongly configured to provide each other with the detailed information of a zone database as long as a client sends a request, that is, to allow untrusted Internet users to perform DNS zone transfer operation. Harm: it is convenient to quickly determine all hosts in a specific area, obtain domain information, such as network topology, server IP address, and provide a lot of sensitive information for attackers' invasion.

Generally, DNS zone transfer operation is necessary only when there is a backup domain name DNS server in the network. However, many DNS servers are wrongly configured to provide each other with the detailed information of a zone database as long as a client sends a request, that is, to allow untrusted Internet users to perform DNS zone transfer operation. Harm: it is convenient to quickly determine all hosts in a specific area, obtain domain information, such as network topology, server IP address, and provide a lot of sensitive information for attackers' invasion.

• Attack features: attack steps: first, query the NS record of a domain name. Then, AXFR or ixfr query area transfer attack on authoritative servers is generally AXFR or ixfr (AXFR is the most common, which is full area transfer, ixfr is incremental area transfer) ixfr (incremental area transfer request), It is different from the traditional AXFR (full zone transfer). When ixfr does zone transfer (DNS synchronization mechanism), it will synchronize with the differentiated part, while AXFR synchronizes the general data with the whole zone through TCP.

Attack characteristics:

• Attack steps: first, query the NS record of a domain name. Then, query the authoritative server with AXFR or ixfr

Attack steps:

• First, query the NS record of a domain name
• Then, make AXFR or ixfr query on the authoritative server
• Zone transfer attacks are usually AXFR or ixfr (AXFR is the most common, for full zone transfer, ixfr is incremental zone transfer) ixfr (incremental zone transfer request), which is different from the traditional AXFR (full zone transfer). Ixfr will synchronize with the differentiated part when it does zone transfer (DNS synchronization mechanism), while AXFR synchronizes with the whole zone

Area transfer attacks are usually AXFR or ixfr (AXFR is the most common, full area transfer, ixfr is incremental area transfer)

Ixfr (incremental zone transfer request) is different from the traditional AXFR (full zone transfer). When ixfr is doing zone transfer (DNS synchronization mechanism), it will synchronize with the differentiated part, while AXFR synchronizes with the whole zone

• General data is transmitted by TCP.

General data is transmitted by TCP.

• Detection logic: simply judge whether there is DNS zone transfer attack tshark-n-r q1|final.pcap-y "((UDP. Port = = 53) | (TCP. Port = = 53))" |grep-e 'axfr|ixfr' > dns_zone|transfer does have attack adjustment filter rules, Before filtering out the normal attack from the refuse data in the response of the more detailed data, there should be a ns query that the return package of the specific AXFR has a lot of domain name data (the test found that the attacker only made an attempt? It was not successful) tshark - R Q1 ﹣ TMP ﹣ 00967 ﹣ pcap - Y "DNS. Qry. Type = = 252 ﹤ DNS. Qry. Type = = 251" successful attempt of the attack Tshark - R Q1 | TMP. Pcap - Y "DNS. Qry. Type = = 252 | DNS. Qry. Type = = 251" - 2 - R "TCP. Srcport = = 53" | grep - V "rejected" found that in fact, there was no traffic successfully attacked, only an attack attempt. Detection result attack IP: 96.199.230.176 Start time: Jan 26, 2019 00:22:34.008473000 end time: Jan 26, 2019 00:28:28.207297000 influence domain name list: 2667 (actually no attack succeeded, because there is no return packet) the unsuccessful DNS zone transfer uses snort detection, you can write a rule yourself: alert TCP $external_net any - > $home_net 53 (MSG: "DNS zone transfer TCP"; content: "| 00 fc|; offset: 14; reference: moxiaoxi; classtype: attempted Recon; Sid: 9999; Rev: 6;) the detection of DNS zone transfer brought by snort will detect the TCP connection status (established) for TCP, so the above attacks will be filtered out. Run the command line: sudo snort - R Q1 ﹣ TMP ﹣ 00967 ﹣ 20190126002811.pcap - C / etc / snort / snort. Conf - L. / log / - a fast

Detection logic:

• Simply judge whether there is DNS zone transfer attack tshark - N - R q1|final. Pcap - Y "((UDP. Port = = 53) | (TCP. Port = = 53))" |grep - E 'axfr|ixfr' > dns_zone|

Simply judge whether there is DNS zone transfer attack

tshark -n -r q1_final.pcap -Y "((udp.port==53)||(tcp.port==53))"|grep -E 'AXFR|IXFR' > dns_zone_transfer

There are attacks

• Adjust the filtering rules to get more detailed data. Before filtering out the normal attacks, there should be a ns to query the return package of the specific AXFR with a lot of domain name data, Grep - V "rejected" It is found that in fact, there is no traffic successfully attacked, only attack attempt. In this paper, the author analyzes the characteristics of

Adjust the filter rules to get more detailed data

• Filter out the refuse data in response
• Before normal attack, there should be an ns query
• The return package of specific AXFR has a lot of domain name data (the test found that the attacker only tried? No success)

tshark -r q1_tmp_00967_20190126002811.pcap -Y "dns.qry.type==252||dns.qry.type==251"

A successful attempt to attack

tshark -r q1_tmp_00967_20190126002811.pcap -Y "dns.qry.type==252||dns.qry.type==251" -2 -R "tcp.srcport==53" |grep -v "Refused" tshark -r q1_final.pcap -Y "dns.qry.type==252||dns.qry.type==251" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e dns.id -e dns.flags.response -e dns.qry.name -e dns.data -e dns.flags.rcode > dns_zone_transfer_succ_end

• Detection result attack IP: 96.199.230.176 start time: Jan 26, 2019 00:22:34.008473000 end time: Jan 26, 2019 00:28:28.207297000 impact domain name list: 2667 (no actual attack succeeded, Because there is no return packet) the unsuccessful DNS zone transfer uses snort detection, and you can write a rule yourself: alert TCP $external any - > $home net 53 (MSG: "DNS zone transfer TCP"; content: "| 00 fc|; offset: 14; reference: moxiaoxi; classtype: attempted Recon; Sid: 9999; Rev: 6; ）Snort's own detection of DNS zone transfer will detect the TCP connection status (established) for TCP, so the above attacks will be filtered out. Run the command line: sudo snort - R Q1 ﹣ TMP ﹣ 00967 ﹣ 20190126002811.pcap - C / etc / snort / snort. Conf - L. / log / - a fast

detection result

• Attack IP: 96.199.230.176
• Start time: Jan 26, 2019 00:22:34.008473000
• End time: Jan 26, 2019 00:28:28.207297000
• Affected domain name list: 2667 (the actual attack did not succeed because there was no returned package)
• 2667 (no attack succeeded actually because no return packet)

The unsuccessful DNS zone transfer uses snort detection, and you can write a rule yourself:

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; content:"|00 00 FC|"; offset:14; reference:moxiaoxi; classtype:attempted-recon; sid:9999; rev:6;)

Snort's own detection of DNS zone transfer will detect the TCP connection status (established) for TCP, so the above attacks will be filtered out.

Run command line:

sudo snort -r q1_tmp_00967_20190126002811.pcap -c /etc/snort/snort.conf -l ./log/ -A fast

Illegal DNS dynamic update:

sudo suricata -c ./suricata.yaml -r q1_final.pcap -l ./log/

The attack was detected by Suricata with the following alerts:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:”ET POLICY DNS Update From External net”; byte_test:1,!&,128,2; byte_test:1,!&,6 4,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy- violation; sid:2009702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

• In most production environments, the system administrator configures only secure dynamic updates for DNS. By allowing only trusted domain client computers to automatically register themselves with the DNS server, the management overhead is reduced, and the security risk is significantly reduced. However, in some cases, administrators choose to use non active directory integration zones to maintain policy compatibility with the organization. At this time, any computer can send a registration request to the DNS server. Even if the computer does not belong to the same DNS domain, the DNS server automatically adds the records of the requesting computer to the DNS database.

In most production environments, the system administrator configures only secure dynamic updates for DNS. By allowing only trusted domain client computers to automatically register themselves with the DNS server, the management overhead is reduced, and the security risk is significantly reduced. However, in some cases, administrators choose to use non active directory integration zones to maintain policy compatibility with the organization. At this time, any computer can send a registration request to the DNS server. Even if the computer does not belong to the same DNS domain, the DNS server automatically adds the records of the requesting computer to the DNS database.

• Check the logic, call Suricata directly, and then modify an output plug-in to get the result.

Check the logic, call Suricata directly, and then modify an output plug-in to get the result.

• Detection result: attacker IP: 19.220.251.87200.152.141.106237.205.156.23318.100.48.86 attack time: 2019-01-25t20:29:37.010896 + 0800-2019-01-25t23:49:27.633018 + 08002019-01-26t00:22:01.672532 + 0800-2019-01-26t00:50:11.665267 + 0800 domain name list involved: 2024 domain names in total

Test results:

• Attacker IP: 19.220.251.87200.152.141.106237.205.156.23318.100.48.86

Attacker IP:

19.220.251.87 200.152.141.106 237.205.156.233 18.100.48.86

• Attack time: 2019-01-25t20:29:37.010896 + 0800-2019-01-25t23:49:27.633018 + 08002019-01-26t00:22:01.672532 + 0800-2019-01-26t00:50:11.665267 + 0800

Attack time: 2019-01-25t20:29:37.010896 + 0800-2019-01-25t23:49:27.633018 + 08002019-01-26t00:22:01.672532 + 0800-2019-01-26t00:50:11.665267 + 0800

• List of domain names involved: 2024 domain names in total

List of domain names involved: 2024 domain names in total

DNS Amplification Attack

• Amplification attack (also known as leverage attack, English name DNS amplification attack) uses the feature that the reply packet is larger than the request packet (amplification of traffic), forges the source IP address of the request packet, and directs the reply packet to the target being attacked. For DNS server, only need to discard the response packet of the request packet that is not sent out by itself. From the test point of view, send a large number of reply packets to the tested server to see whether they are discarded, and observe whether the CPU utilization rate rises sharply at this time.

Amplification attack (also known as leverage attack, English name DNS amplification attack) uses the feature that the reply packet is larger than the request packet (amplification of traffic), forges the source IP address of the request packet, and directs the reply packet to the target being attacked. For DNS server, only need to discard the response packet of the request packet that is not sent out by itself. From the test point of view, send a large number of reply packets to the tested server to see whether they are discarded, and observe whether the CPU utilization rate rises sharply at this time.

• Attack feature: enlarge the traffic through recursive query, so recursion = 1, any parameter. The return packet is required to be much larger than the sent packet, and the return packet is generally required to be more than 2000. That is, DNS. RR. UDP? Payload? Size > = 2000.

Attack characteristics:

• The traffic is amplified by recursive query, so recursion = 1, any parameter.
• The return packet is required to be much larger than the sent packet, and the return packet is generally required to be greater than 2000. That is, DNS. RR. UDP? Payload? Size > = 2000.
• Detection logic: modify the Suricata DNS rule library by magic, and then process a wave of output. alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; dept h:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative ; threshold: type both, track by_dst, seconds 60, count 5; Classtype: bad unknown; Sid: 2016016; Rev: 8; metadata: created at 2012, updated at 2012) Suricata detected incomplete results, which can be filtered by Wireshark DNS. Flags. Response = = 0 & & DNS. Qry. Type = = 255 & & DNS. RR. UDP 65123; payload ﹣ size > = 2000 & & DNS. Flags. Received = = 1

Detection logic:

Magically change the Suricata DNS rule base, and then process a wave of output.

alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; dept h:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative ; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12 _11, updated_at 2012_12_11;)

Suricata detects incomplete results, which can be filtered by Wireshark

Dns.flags.response==0 && dns.qry.type==255 && dns.rr.udp_payload_size>=2000 && dns.flags.recdesired==1

• Detection results: detection results: 175.222.102.169 → 188.141.167.218 127.130.104.152 → 187.199.129.12 105.191.150.205 → 70.85.232.160 here, we need to ignore those attack requests with too large reflection amplification length, as well as the returned packets.

Test results:

Detected results:

175.222.102.169 → 188.141.167.218

127.130.104.152 → 187.199.129.12

105.191.150.205 → 70.85.232.160

In this case, we should ignore the attack requests with too large reflection amplification length, as well as the returned packets.

DNS subdomain enumeration

The detection is rough, and the result estimation needs further analysis.

• DNS subdomain enumeration is mainly used for violent enumeration of subdomain information to facilitate in-depth attacks in the later stage.

DNS subdomain enumeration is mainly used for violent enumeration of subdomain information to facilitate in-depth attacks in the later stage.

• Detection logic: detect all domain information, and observe whether there is enumeration of a domain name. And the enumeration phenomenon is carried out in time. All domain information is extracted, obviously there is a sub domain enumeration attack. Enumeration of a domain by the same IP in a short time
• Check all domain information to see if there is enumeration of a domain name. And the enumeration phenomenon is carried out in time.
• All domain information is extracted, obviously there is a sub domain enumeration attack.
• Enumeration of a domain by the same IP in a short time
• Detection result: attacker IP: 144.202.64.226

Test results:

• Attacker IP: 144.202.64.226

Attacker IP:

144.202.64.226

DNS tunnel

• DNS tunneling, a kind of covert channel, establishes communication by encapsulating other protocols in DNS protocol. Because DNS is an essential service in our network world, most firewalls and intrusion detection devices rarely filter DNS traffic, which provides conditions for DNS as a hidden channel, so it can be used to achieve operations such as remote control, file transmission, and so on. Now more and more researches have proved DNS Tunneling also often plays an important role in botnet and apt attacks.

DNS tunneling, a kind of covert channel, establishes communication by encapsulating other protocols in DNS protocol. Because DNS is an essential service in our network world, most firewalls and intrusion detection devices rarely filter DNS traffic, which provides conditions for DNS as a hidden channel, so it can be used to achieve operations such as remote control, file transmission, and so on. Now more and more researches have proved DNS Tunneling also often plays an important role in botnet and apt attacks.

• Detection logic: extract all domain information and view the domain information. Tunnel has obvious characteristics in domain.
• Extract all domain information and view the domain information. Tunnel has obvious characteristics in domain.
• Test result: basically no DNS tunnel information.
• Basically, there is no DNS tunnel information.

Nsec enumeration

Type not found before giving the answer.

• For this attack, please refer to the previous blog: https://momoxiaoxi.com/2017/11/05/eisctf/ ා 214 – nsec% E8% AE% B0% E5% BD% 95. Simply speaking, the attacker can obtain the next data information by using nsec to repeatedly obtain the next DNS record, so as to achieve the purpose of disclosure.

For this attack, please refer to the previous blog: https://momoxiaoxi.com/2017/11/05/eisctf/ ා214 – nsec% E8% AE% B0% E5% BD% 95

In short, the attacker can obtain the information of the next data by using nsec to repeatedly obtain the next DNS record, so as to achieve the role of disclosure.

• Detection logic: obtain all DNS records of nsec type attacker IP, attack initiation time, enumerate and use domain name list tshark - R q1_final. Pcap - y '(DNS. Resp. Type = = 47 and DNS. Flags. Response = = 1)' - t fields - e frame. Number - e frame. Time - e IP. DST - e IP. SRC - e DNS. Qry. Name - e DNS. Resp. Type - e dns.resp.name

Detection logic:

• Get DNS records of all nsec types

Get DNS records of all nsec types

• Attacker IP, attack initiation time, enumeration of domain name list

Attacker IP, attack initiation time, enumeration of domain name list

• tshark -r q1_final.pcap -Y '(dns.resp.type == 47 and dns.flags.response == 1)' -T fields -e frame.number -e frame.time -e ip.dst -e ip.src -e dns.qry.name -e dns.resp.type -e dns.resp.name

tshark -r q1_final.pcap -Y '(dns.resp.type == 47 and dns.flags.response == 1)' -T fields -e frame.number -e frame.time -e ip.dst -e ip.src -e dns.qry.name -e dns.resp.type -e dns.resp.name

• Test results: attacker IP: 175.222.102.169 (failed), 105.191.150.205 (failed), 6.116.183.244 (successful) time: Jan 25, 2019 22:30:34.573890000 CST domain name list: d1a4.cc (failed) e24561.com.cn (successful)

Test results:

• Attacker IP: 175.222.102.169 (failed), 105.191.150.205 (failed), 6.116.183.244 (successful)
• Time: Jan 25, 2019 22:30:34.573890000 CST
• Domain name list: d1a4.cc (failed) e24561.com.cn (successful)

Harvest

• In the whole analysis process, we have learned a lot, which is worth recording. Analysis and processing of big data package pcap. Large pcap packages will not be directly analyzed by Wireshark, and other command-line tools are needed for visual analysis. Through statistical tools to analyze the overall pcap packet traffic status, TCP / UDP ratio, retransmission rate, resolution server IP statistics, rule filter and so on. Through all kinds of statistical analysis, the overall flow situation is estimated. Detailed DNS attack analysis, more detailed understanding of the various types of DNS attacks, detection methods, and through this opportunity to learn a wave of Snort and suric use.

In the whole analysis process, we have learned a lot, which is worth recording.

• Analysis and processing of big data package pcap. Large pcap packages will not be directly analyzed by Wireshark, and other command-line tools are needed for visual analysis.
• Through statistical tools to analyze the overall pcap packet traffic status, TCP / UDP ratio, retransmission rate, analysis server IP statistics, rule filter and so on. Through all kinds of statistical analysis, the overall flow situation is estimated.
• Detailed DNS attack analysis, more detailed understanding of the various types of DNS attacks, detection methods, and through this opportunity to learn a wave of Snort and suric use.
• After reading the following WP submitted by you, you can still see a lot of interesting ideas. Large machine direct Wireshark analysis; professional data cleaning flow; analysis through time-frequency chart; through daily scoring system, side channel to determine the answer . I'll wait for you to share later, and I won't describe it here.

After reading the following WP submitted by you, you can still see a lot of interesting ideas.

• Direct Wireshark analysis of large machines;
• Professional data cleaning flow;
• It is analyzed by time-frequency diagram;
• Through the daily scoring system, the side channel determines the answer;
• ... .

I'll wait for you to share it later, so I won't describe it here.

• I hope you can get something in this game! )

I hope you will get something from this competition! )

Reference resources

• https://www.securitynik.com/2014/05/analyzing-dns-zone-transfer-both.html
• https://github.com/eldondev/Snort/blob/master/rules/dns.rules
• https://www.securityforrealpeople.com/2015/01/detecting-malware-through-dns-queries.html
• https://www.cnblogs.com/liun1994/p/6142505.html
• https://github.com/pevma/rule2alert
• http://www.kaiyuanba.cn/content/network/snort/Snortman.htm
• http://www.tutorialspoint.com/articles/configuring-dns-server-for-secure-only-dynamic-updates
• https://social.technet.microsoft.com/Forums/ie/en-US/989e0771-1d6f-4711-bfce-f082ce77b5d9/dns-secured-v-insecure-dynamic-updates?forum=winserverDS
• http://blog.sina.com.cn/s/blog_90bb1f200101iazl.html
• https://yq.aliyun.com/articles/396578/
• https://eprint.iacr.org/2010/115.pdf
• https://www.researchgate.net/publication/221655355_A_Security_Evaluation_of_DNSSEC_with_NSEC3
• https://docs.infoblox.com/display/NAG8/Detecting+NXDOMAIN+Attacks