Project

General

Profile

Actions

Security #2736

closed

DNS Golden Transaction ID - detection bypass

Added by Alexey Vishnyakov about 6 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

8357ef3f8ffc7d99ef6571350724160de356158b

Severity:
Disclosure Date:

Description

Hello, team!

I've found an interesting problem in DNS protocol related to Transaction ID header field

I made a signature:

alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, DDNS"; \
content:"|04|ddns|03|net|00|"; \
classtype:trojan-activity; \
sid:1; rev:1;)

Please, find a pcap dump in attached archive: 23_6594.pcap
It contains only one packet extracted from a public sandbox.
A signature doesn't match!

I investigated this case a bit and found that for a specific range of Transaction ID values (0x6000, 0x6001, ..., 0x6010, ... 0x6594, 0x6595 and maybe more) detection still absent.
But if we choose something like 0x5FFF as example - detection will be.

I tried some another domain (as example, which is longer on 1 symbol) - and for previous Transaction ID values detection appears.
So, seems that some kind of Transaction ID influence happened.
I made a following game:

  • I've generated 65536 different pcaps for a domain in 23_6594.pcap with all possible Transaction ID values
  • I've scanned them all... and found one more magic Transaction ID value: 0x0400. More than that:
    - pcap with Transaction ID = 0x03FF - detected (23_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (23_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (23_0401.pcap)
  • Then I've reduced an original domain length, generated 65535 pcaps, scanned them... and found the same magic ID: 0x0400. And:
    - pcap with Transaction ID = 0x03FF - detected (22_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (22_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (22_0401.pcap)
  • Then I've increased an original domain length, again generated 65535 pcaps, again scanned them... and again :) found the same magic ID: 0x0400. And:
    - pcap with Transaction ID = 0x03FF - detected (24_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (24_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (24_0401.pcap)

Finally I just made the nslookup of "suricata-ids.org" domain (suricata.original.pcap). Fortunately, the Transaction ID was small and I reproduced a detection with following rule:

alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, suricata"; \
content:"suricata"; \
classtype:trojan-activity; \
sid:2; rev:1;)

Than I changed the Transaction ID to 0x4000 - no detection (suricata.0400.pcap)
I changed it to 0x4001 - detection appears again (suricata.0401.pcap)

I've tested the 0x4000 magic Transaction ID with different domains (DGA - situation is the same)
Seems that we have a reliable approach to perform an information transport via the DNS tunneling without detection in DNS protocol

Could you confirm that?

Thank you
Sincerely yours, Alexey Vishnyakov


Files

dns.zip (3.36 KB) dns.zip Alexey Vishnyakov, 12/11/2018 03:29 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #2827: DNS Golden Transaction ID - detection bypass (4.0.x)ClosedVictor JulienActions
Actions

Also available in: Atom PDF