Vergiftetes DNS
Seite 6: Gibt es Pakete?
Gibt es Pakete?
Die folgenden Paketbeschreibungen zeigen DNS-Anfragen und die Antworten der bösartigen DNS-Server. Die aufgezeichneten Pakete wurden mit tethereal dekodiert, am Ende findet sich jeweils ein Hex-Dump. Das zweite Paket des Dumps enthält den zusätzlichen RR-Eintrag für "com", der die regulären "com"-Einträge überschrieben hat. Letztere zeigen auf die offiziellen 13 Root-Nameserver.
Der erste Dump wurde einige Tage nach dem 4. März aufgezeichnet. Es zeigt, dass der Angreifer jede Adresse verbogen hat. Im Beispiel frage ich nach www.cisco.com und der bösartige DNS-Server antwortet mit 209.135.140.198, was definitiv nicht die richtige Adresse ist (198.133.219.25).
Frame 1 (2 on wire, 2 captured)
Packet Length: 73 bytes
Capture Length: 73 bytes
Ethernet II
Destination:
Source:
Type: IP (0x0800)
Internet Protocol, Src Addr: 10.11.12.13 (10.11.12.13), Dst Addr:
216.127.88.131 (216.127.88.131)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 59
Identification: 0x0000
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xf397 (correct)
Source: 10.11.12.13 (10.11.12.13)
Destination: 216.127.88.131 (216.127.88.131)
User Datagram Protocol, Src Port: 34899 (34899), Dst Port: 53 (53)
Source port: 34899 (34899)
Destination port: 53 (53)
Length: 39
Checksum: 0x9801 (correct)
Domain Name System (query)
Transaction ID: 0xd4f5
Flags: 0x0100 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...0 .... = Non-authenticated data OK:
Non-authenticated data is unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
www.cisco.com: type A, class inet
Name: www.cisco.com
Type: Host address
Class: inet
0x0000 4500 003b 0000 4000 4011 f397 0a0b 0c0d E..;..@.@.......
0x0010 d87f 5883 8853 0035 0027 9801 d4f5 0100 ..X..S.5.'......
0x0020 0001 0000 0000 0000 0377 7777 0563 6973 .........www.cis
0x0030 636f 0363 6f6d 0000 0100 01 co.com.....
Frame 2 (2 on wire, 2 captured)
Frame Number: 2
Packet Length: 119 bytes
Capture Length: 119 bytes
Ethernet II
Destination:
Source:
Type: IP (0x0800)
Internet Protocol, Src Addr: 216.127.88.131 (216.127.88.131), Dst Addr:
10.11.12.13 (10.11.12.13)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 105
Identification: 0x0000
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 51
Protocol: UDP (0x11)
Header checksum: 0x006a (correct)
Source: 216.127.88.131 (216.127.88.131)
Destination: 10.11.12.13 (10.11.12.13)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 34899 (34899)
Source port: 53 (53)
Destination port: 34899 (34899)
Length: 85
Checksum: 0x036c (correct)
Domain Name System (response)
Transaction ID: 0xd4f5
Flags: 0x8580 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .1.. .... .... = Authoritative: Server is an authority for
domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do
recursive queries
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the
server
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 1
Additional RRs: 0
Queries
www.cisco.com: type A, class inet
Name: www.cisco.com
Type: Host address
Class: inet
Answers
www.cisco.com: type A, class inet, addr 209.135.140.198
Name: www.cisco.com
Type: Host address
Class: inet
Time to live: 1 day, 3 hours, 46 minutes, 39 seconds
Data length: 4
Addr: 209.135.140.198
Authoritative nameservers
com: type NS, class inet, ns 3sistersmassage.com
Name: com
Type: Authoritative name server
Class: inet
Time to live: 1 day, 3 hours, 46 minutes, 39 seconds
Data length: 18
Name server: 3sistersmassage.com
0x0000 4500 0069 0000 4000 3311 006a d87f 5883 E..i..@.3..j..X.
0x0010 0a0b 0c0d 0035 8853 0055 036c d4f5 8580 .....5.S.U.l....
0x0020 0001 0001 0001 0000 0377 7777 0563 6973 .........www.cis
0x0030 636f 0363 6f6d 0000 0100 01c0 0c00 0100 co.com..........
0x0040 0100 0186 9f00 04d1 878c c6c0 1600 0200 ................
0x0050 0100 0186 9f00 120f 3373 6973 7465 7273 ........3sisters
0x0060 6d61 7373 6167 65c0 16 massage..
Zum Zeitpunkt der Aufzeichnung ergab 3sistersmassage.com 216.127.88.131 -- die Adresse des Servers, der die Anfrage erhalten hatte.
Das nächste ist ein Dump aus dem zweiten Angriff. Er zeigt mehrere Hostnamen (mit derselben IP-Adresse) als Root-Nameserver für .com. Das Paket ist die Antwort auf eine Anfrage nach einem obskuren Namen (www.leroysprings.com). Der Server antwortet mit 222.47.183.18 als IP-Adresse und nennt die gleiche IP-Adresse als Root-Nameserver für .com.
Frame 1
Packet Length: 260 bytes
Capture Length: 260 bytes
Ethernet II
Destination:
Source:
Type: IP (0x0800)
Internet Protocol, Src Addr: 222.47.183.18 (222.47.183.18), Dst Addr:
10.11.12.13 (10.11.12.13)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 246
Identification: 0x0000
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 50
Protocol: UDP (0x11)
Header checksum: 0x9c9d (correct)
Source: 222.47.183.18 (222.47.183.18)
Destination: 10.11.12.13 (10.11.12.13)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 32792 (32792)
Source port: 53 (53)
Destination port: 32792 (32792)
Length: 226
Checksum: 0xfa49 (correct)
Domain Name System (response)
Transaction ID: 0x5494
Flags: 0x8500 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .1.. .... .... = Authoritative: Server is an authority for
domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 0... .... = Recursion available: Server can't do
recursive queries
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 2
Authority RRs: 4
Additional RRs: 4
Queries
www.leroysprings.com: type A, class inet
Name: www.leroysprings.com
Type: Host address
Class: inet
Answers
www.leroysprings.com: type A, class inet, addr 222.47.183.18
Name: www.leroysprings.com
Type: Host address
Class: inet
Time to live: 1 minute
Data length: 4
Addr: 222.47.183.18
www.leroysprings.com: type A, class inet, addr 222.47.183.18
Name: www.leroysprings.com
Type: Host address
Class: inet
Time to live: 1 minute
Data length: 4
Addr: 222.47.183.18
Authoritative nameservers
com: type NS, class inet, ns ns1.m-dns.us
Name: com
Type: Authoritative name server
Class: inet
Time to live: 1 minute
Data length: 14
Name server: ns1.m-dns.us
com: type NS, class inet, ns ns2.com
Name: com
Type: Authoritative name server
Class: inet
Time to live: 1 minute
Data length: 6
Name server: ns2.com
com: type NS, class inet, ns ns1.bizwebb.us
Name: com
Type: Authoritative name server
Class: inet
Time to live: 1 minute
Data length: 14
Name server: ns1.bizwebb.us
com: type NS, class inet, ns ns2.com
Name: com
Type: Authoritative name server
Class: inet
Time to live: 1 minute
Data length: 2
Name server: ns2.com
Additional records
ns1.m-dns.us: type A, class inet, addr 222.47.183.18
Name: ns1.m-dns.us
Type: Host address
Class: inet
Time to live: 1 minute
Data length: 4
Addr: 222.47.183.18
ns2.com: type A, class inet, addr 222.47.183.18
Name: ns2.com
Type: Host address
0x0000 4500 00f6 0000 4000 3211 9c9d de2f b712 E.....@.2..../..
0x0010 0a0b 0c0d 0035 8018 00e2 fa49 5494 8500 .....5.....IT...
0x0020 0001 0002 0004 0004 0377 7777 0c6c 6572 .........www.ler
0x0030 6f79 7370 7269 6e67 7303 636f 6d00 0001 oysprings.com...
0x0040 0001 c00c 0001 0001 0000 003c 0004 de2f ...........<.../
0x0050 b712 c00c 0001 0001 0000 003c 0004 de2f ...........<.../
0x0060 b712 c01d 0002 0001 0000 003c 000e 036e ...........<...n
0x0070 7331 056d 2d64 6e73 0275 7300 c01d 0002 s1.m-dns.us.....
0x0080 0001 0000 003c 0006 036e 7332 c01d c01d .....<...ns2....
0x0090 0002 0001 0000 003c 000e 036e 7331 0762 .......<...ns1.b
0x00a0 697a 7765 6262 c05c c01d 0002 0001 0000 izwebb.\........
0x00b0 003c 0002 c06c c052 0001 0001 0000 003c .<...l.R.......<
0x00c0 0004 de2f b712 c06c 0001 0001 0000 003c .../...l.......<
0x00d0 0004 de2f b712 c06c 0001 0001 0000 003c .../...l.......<
0x00e0 0004 de2f b712 c07e 0001 0001 0000 003c .../...~.......<
0x00f0 0004 de2f b712 .../..
Wie siehts mit Snort-Regeln aus?
Die folgenden Snort-Regeln sollten Poisoning-Angriffe auf die .COM-Domain erkennen. Neue Signaturen veröffentlichen wir auf der ISC-Site, nachdem wir sie getestet haben. Aktuelle Signaturen finden Sie auch auf: http://bleedingsnort.com/
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"com DNS cache poison";
content:!"TLD-SERVERS"; nocase; offset:10; depth:50; content:"|c0|";
content:"|00 02|"; distance:1; within:2;
byte_jump:1,-3,relative,from_beginning; content:"|03|com|00|"; nocase;
within:5; classtype:misc-attack; sid:1600; rev:3;) (ju)
