>>> Doc. Caliban<***@gmail.com> 7/10/2008 6:01:56 pm >>>
Odd Thing #1
I have a user that has sent ~200MB via DNS today. No traffic on any
other protocol, all UDP.

Odd Thing #2
Absolutely no incoming data has been logged.


Ideas? This is happening right now.

-Doc

Hi

what was the source and dst ports ?

jayson

On Thu, Jul 10, 2008 at 12:01:56PM -0400, Doc. Caliban wrote:
> Odd Thing #1
> I have a user that has sent ~200MB via DNS today. No traffic on any
> other protocol, all UDP.
>
> Odd Thing #2
> Absolutely no incoming data has been logged.
>
>
> Ideas? This is happening right now.

200MB is way too much for DNS.

UDP port 53 is open on most firewalls, so can used for obfuscated or
encrypted traffic that wants to secretly bypass any blocked ports.

Suggestions:

1) Check that your monitoring software is OK. I would think there
should be at least some web or email traffic in there.

2) Use tcpdump to grab a dump of the traffic on UDP port 53 and then
wireshark to examine it. This will allow to see if it is legimate DNS
traffic or not.

3) Talk to the user. Check their machine for new software, trojans,
root kits, etc.


Earlier this week there was a big DNS vulnerability in most DNS
server, this could be an attack on that but I would think it is
a little early for an automated attack.


--
#---------------------------------------------------------#
| John Edwards Email: ***@cornerstonelinux.co.uk |
#---------------------------------------------------------#

I say load banish, banish the 201.220.15.75 IP and see what your enduser then lacks.

You type that ip into a browser and you go to http://mail.unspoiledqueen.com/mail/src/login.php. Maybe your EUA prohibits such sites anyway?

"Doc. Caliban" <***@gmail.com> wrote: > On 10Jul, 08, at 12:12 PM, John Edwards wrote:
>
> 200MB is way too much for DNS.
>
> UDP port 53 is open on most firewalls, so can used for obfuscated or
> encrypted traffic that wants to secretly bypass any blocked ports.

Hello,

Thank you to everyone for the replies.

Unfortunately, some of this is over my head as this is the first time
I've had to delve into traffic analysis this deeply.

Information that may be helpful:

I'm using BOT with DNS open from one specific server on Blue to a
specific server on Green.

This user is on Blue and should be being blocked from any access to
Red via BOT. There is a rule blocking HTTP access via IPCop, and a
rule blocking all other ports to Red.


For what it's worth, here's a screen cap of part of the NTOP page for
this user:

http://img294.imageshack.us/img294/6493/103zy7.png

>
>
> Suggestions:
>
> 1) Check that your monitoring software is OK. I would think there
> should be at least some web or email traffic in there.
>
> 2) Use tcpdump to grab a dump of the traffic on UDP port 53 and then
> wireshark to examine it. This will allow to see if it is legimate DNS
> traffic or not.
>
> 3) Talk to the user. Check their machine for new software, trojans,
> root kits, etc.
>
>
> Earlier this week there was a big DNS vulnerability in most DNS
> server, this could be an attack on that but I would think it is
> a little early for an automated attack.


I'm googling for a concise howto on tcpdump and wireshark...

Thanks for the suggestions, everyone!

-Doc




-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Seems as though I was a bit confused on your network setup.

Good ole BOT, that and banish are my best friends!

Maybe if you un-BOT him, give him a static IP with DNS pointing to opendns, you may be able to determine what is up. If no one else on your network (# of users??) is hitting the DNS the same, it points to this one machine/user. I'd say get a bat and smash him one good. ;)

"Doc. Caliban" <***@gmail.com> wrote: >
> On 10Jul, 08, at 1:34 PM, Tim wrote:
>
> I say load banish, banish the 201.220.15.75 IP and see what your
> enduser then lacks.
>
> You type that ip into a browser and you go to http://mail.unspoiledqueen.com/mail/src/login.php
> . Maybe your EUA prohibits such sites anyway?
>
> "Doc. Caliban" wrote: > On 10Jul, 08, at
> 12:12 PM, John Edwards wrote:
>

Hello,

201.220.15.75 is our external (ISP) DNS server. The blue clients end
up with it as a secondary DNS server via DHCP.

The traffic has stopped, and I've blocked him altogether via BOT now.
I will contact him later today and see if I can discover what was
going on. Again, oddly, NTOP showed no incoming traffic whatsoever.
It was all outbound UDP. Weird.

I'll post my findings to the list.

-Doc

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08