Security #2736
closedDNS Golden Transaction ID - detection bypass
8357ef3f8ffc7d99ef6571350724160de356158b
Description
Hello, team!
I've found an interesting problem in DNS protocol related to Transaction ID header field
I made a signature:
alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, DDNS"; \
content:"|04|ddns|03|net|00|"; \
classtype:trojan-activity; \
sid:1; rev:1;)
Please, find a pcap dump in attached archive: 23_6594.pcap
It contains only one packet extracted from a public sandbox.
A signature doesn't match!
I investigated this case a bit and found that for a specific range of Transaction ID values (0x6000, 0x6001, ..., 0x6010, ... 0x6594, 0x6595 and maybe more) detection still absent.
But if we choose something like 0x5FFF as example - detection will be.
I tried some another domain (as example, which is longer on 1 symbol) - and for previous Transaction ID values detection appears.
So, seems that some kind of Transaction ID influence happened.
I made a following game:
- I've generated 65536 different pcaps for a domain in 23_6594.pcap with all possible Transaction ID values
- I've scanned them all... and found one more magic Transaction ID value: 0x0400. More than that:
- pcap with Transaction ID = 0x03FF - detected (23_03FF.pcap)
- pcap with Transaction ID = 0x0400 - not detected (23_0400.pcap)
- pcap with Transaction ID = 0x0401 - detected (23_0401.pcap) - Then I've reduced an original domain length, generated 65535 pcaps, scanned them... and found the same magic ID: 0x0400. And:
- pcap with Transaction ID = 0x03FF - detected (22_03FF.pcap)
- pcap with Transaction ID = 0x0400 - not detected (22_0400.pcap)
- pcap with Transaction ID = 0x0401 - detected (22_0401.pcap) - Then I've increased an original domain length, again generated 65535 pcaps, again scanned them... and again :) found the same magic ID: 0x0400. And:
- pcap with Transaction ID = 0x03FF - detected (24_03FF.pcap)
- pcap with Transaction ID = 0x0400 - not detected (24_0400.pcap)
- pcap with Transaction ID = 0x0401 - detected (24_0401.pcap)
Finally I just made the nslookup of "suricata-ids.org" domain (suricata.original.pcap). Fortunately, the Transaction ID was small and I reproduced a detection with following rule:
alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, suricata"; \
content:"suricata"; \
classtype:trojan-activity; \
sid:2; rev:1;)
Than I changed the Transaction ID to 0x4000 - no detection (suricata.0400.pcap)
I changed it to 0x4001 - detection appears again (suricata.0401.pcap)
I've tested the 0x4000 magic Transaction ID with different domains (DGA - situation is the same)
Seems that we have a reliable approach to perform an information transport via the DNS tunneling without detection in DNS protocol
Could you confirm that?
Thank you
Sincerely yours, Alexey Vishnyakov
Files
Updated by Victor Julien almost 6 years ago
- Assignee set to Victor Julien
Both are known weaknesses in protocol detection. The magic 0x4000 triggers the dcerpc protocol detection, so Suricata then considers it dcerpc. This really requires a rewrite/upgrade of the protocol detection engine. This is something we hope to do for 5.0. I'll see if I can create some hack to fix this specific issue.
The 6594 pcap triggers the teredo detection. We've had issues with this before. I'm trying to see if I can make the teredo probing stricter.
Updated by Victor Julien almost 6 years ago
- Status changed from New to Assigned
- Target version set to 4.1.2
Updated by Victor Julien almost 6 years ago
- Status changed from Assigned to Closed
Fixes/workarounds in https://github.com/OISF/suricata/pull/3590
Updated by Victor Julien over 5 years ago
- Copied to Bug #2827: DNS Golden Transaction ID - detection bypass (4.0.x) added
Updated by Victor Julien about 4 years ago
- Tracker changed from Bug to Security
- CVE set to 2019-1010251
- Git IDs updated (diff)