[Intrusions] LOGS: GIAC GCIA Version 3.5 Practical Kyle Maxwe ll (Detect 1)

Kyle Maxwell krmaxwell at gmail.com
Wed Jul 28 03:42:40 GMT 2004 

Thanks for your questions; you had really good points and I learned
quite a bit about the structure of DNS packets (not to mention other
details I missed). Responses inline below.

On Mon, 26 Jul 2004 16:48:24 -0000, Adams, Samuel (contractor)
<adamss at eur.disa.mil> wrote:
> Some questions below...
> 
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org]On Behalf Of Kyle Maxwell
> Sent: Sunday, July 25, 2004 8:49 PM
> To: intrusions at incidents.org
> Subject: [Intrusions] LOGS: GIAC GCIA Version 3.5 Practical Kyle Maxwell
> (Detect 1)
> 
> What makes you think that one of these systems isn't providing firewall
> protection? Did you see responses to these inbound connections on ports 515
> and 6346?

Examining the data, there aren't any outbound packets sourced on
either of those ports. I didn't consider the possibility that the
sensor was seeing traffic completely outside the firewall and I'll
adjust my "source" section accordingly.

> Do you know why the |07| was incorporated into the signature? Is that always
> part of a DNS packet or does it mean something else?

Decoding the packet according to RFC 1035
(http://www.faqs.org/rfcs/rfc1035.html):
ID = 0x1234 = 4660
QR = 0 [query]
OPCODE = 0 [standard query]
AA = 0 [not valid in queries if set]
TC = 0 [message not truncated]
RD = 0 [recursion not desired]
RA = 1 [recursion available, RFC only describes this field for responses]
Z = 0 [required by RFC, reserved for future use]
RCODE = 0 [no error condition]
QDCOUNT = 1 [1 entry in question section]
ANCOUNT = 0 [0 resource records in answer section]
NSCOUNT = 0 [0 resource records in authority section]
ARCOUNT = 0 [o resource records in additional records section]

In the question section, the first portion is the QNAME section to
specify the requested domain name. We first see a length octet (07)
followed by 7 octets specifiying the first label, in this case
"version". Next is another length octet (04) followed by 4 octets
specifying the second label, "bind". The next length octet is 00
indicating the end of the QNAME section. Decoding further:

QTYPE = 0x0010 = 16 [TXT, text strings]
QCLASS = 0x0003 = 3 [CH, chaos class]

So we see a standard query for the domain "version.bind" as a "chaos
text" query. The |07| in the signature thus ensures that the query is
for a domain starting with the first label "version".

> Were there other version queries from different sources? Sometimes an
> attacker will disguise his origin by burying it in a blizzard of similar
> spoofed reconnaissance. Any evidence of that here?

Other queries were seen from 210.195.43.44, 203.122.47.137,
203.197.102.86, 210.195.43.17, 203.107.137.77, 203.197.102.203, and
202.56.206.74. Each of those addresses generated no other types of
traffic. I'll include this data in both the source and spoofing
sections along with an examination of their locations and whether
there's any sort of pattern to the queries.

-- 
Kyle Maxwell
krmaxwell at gmail.com

More information about the Intrusions mailing list