2

A remote nameserver, that I do not have privileges on, is intermittently responding with spoofed addresses. I want to monitor this server and collect data on the spoofed responses for analysis. How should I go about doing this?

I essentially want to query for a known domain, compare it to the known IP address, and log the data. I intend to visualize the amount of time the server is responding with spoofed vs. legitimate - as well as patterns in this behavior.

Im hoping there are tools readily avaiable to do this, but I could do some python/sql if needed. Please advise.

Example:

An A record query for google.com will return 195.22.26.248.

Obviously not a google address

N.Balauro
  • 41
  • 5
  • Do you only want to log the bad results and times, or all results and times? – Matt Aug 17 '15 at 19:05
  • bad results and times would suffice. I see no merit at this time in collecting all data, considering my analysis goals. Always open to enlightenment though :) – N.Balauro Aug 17 '15 at 19:19
  • 1
    Since you don't own the remote IP, it's unclear whether that IP represents a single server or a farm of servers. Without knowing this I can't see useful data being derived from the test even if it's simply for idle curiosity. It would also help if we had an example of a spoofed query and answer so that we can verify that spoofing is in fact occurring. (as opposed to geolocation) – Andrew B Aug 17 '15 at 21:50
  • @AndrewB the remote server is a single server. – N.Balauro Aug 17 '15 at 22:19

2 Answers2

3

I'm going to assume that you know what you're talking about when you say that it's a single DNS server. I'm skeptical because you have not shared your methodology for determining this, but my answer will take it as a given that this information is accurate.

Normally you would perform a query, look at the observed TTL, and query again once that TTL expires. You would continue this until your predetermined sampling period is reached and compare good answers against bad answers.

Unfortunately, the operative word here is "normally". You're looking for a deterministic answer, but these are hard to come by once a server is compromised and in most cases you have to throw logic out the window until you know the specifics of the exploit methodology.

  • Given your other question on security.SE, it's more likely that the server software itself has been compromised than this being the result of being bombed with forged answers.
  • Bombing of spoofed packets would always cycle out on a TTL, but other methods might change the reply unpredictably before the TTL window has expired. In the latter case, it's hard to tell whether the change is due to a refresh or not unless you're 100% certain that you're dealing with a single server and not a farm behind a VIP. TTL will vary pretty consistently in the latter case.

Long story short, you're putting in a lot of work for a problem that isn't yours to own, and since you don't own it you have very few ways of making sure that your gathered information provides a useful conclusion. (aside from an academic exercise in ratio of raw good:bad replies over time, which would turn this Q&A into one of those "gimme the codez" questions that we frown on on this SE site)

Community
  • 1
Andrew B
  • 32,588
  • 12
  • 93
  • 131
  • I appreciate your insight. What clues have you leaning towards software compromise? Only reason i thought spoofs was due to the intermittent randomness of the poisoned records. My intention of data collection is to quantify a rough figure of how many users could be affected (based on time of day/length/frequency of poisoned records) which could be used to derive damage done, to find any behaviour patterns if is indeed active spoofing, and also to have a deliverable to backup my claims. – N.Balauro Aug 17 '15 at 23:32
  • Basically Im hoping there is a tool or established process for collecting dns query data over time, transforming and loading the data into a friendly format for analysis, and icing on the cake - meaningful representation of the data. If not maybe some libraries or frameworks to help speed of development? just dropping a hook in the dark hoping for a bite. – N.Balauro Aug 17 '15 at 23:45
  • @N.Balauro Simply visiting the IP address in a browser and reading the giant **The site ahead contains malware** warning was sufficient for me. It's time to move to security incident response. – Michael Hampton Aug 18 '15 at 22:30
1

You can use dig www.example.com in bash on most Linux systems to perform a DNS lookup, the output can be customized based on the amount of detail you would like. You can save known good output to a file then compare results using diff. Logging can be performed by extracting the desired info from dig output, then it you can save it in whatever format you want using a log file or database. Using date +%s you can get a unix timestamp to add to the log, which make selecting a time range in the logs a matter of integer comparison on a single value.

Matt
  • 2,751
  • 1
  • 14
  • 20