Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » General Security Discussion » Fast-Flux DNS servers

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Fast-Flux DNS servers


Posted by Watcher on August 10, 2007 08:36:18

Has anyone seen any rules that might be used to detect single or double fast-flux activity? I am in the early stages of researching this activity and do not want to re-invent the wheel. Any information would be appreciated.

Posted by johnmccash on March 06, 2008 05:34:20

I'm looking for this as well. It seems to me that it should be relatively simple (for someone who's fluent in the protocol) to craft a snort signature that would alert on all DNS NS records with low TTLs. According to what I've read, lookups returned by these servers are likely to be for members of fast-flux domains.

Am I incorrect?

Posted by mykol_j on March 19, 2008 04:49:52

I think I'm close. I've noticed that I started catching unusual DNS packets with my Russian Business Network rules... I think this is one example:

#(33 - 486867) [2008-03-17 03:01:11] [url/doc.bleedingthreats.net/bin/view/Main/RussianBusinessNetwork] [local/2406001] [snort/1:2406001] BLEEDING-EDGE RBN Known Russian Business Network Traffic - Individual Hosts
IPv4: 66.252.1.255 -> blah.blah.blah.blah
hlen=5 TOS=0 dlen=127 ID=44762 flags=0 offset=0 TTL=54 chksum=11153
UDP: port=53 -> dport: 53 len=107
Payload: length = 99

000 : A3 D2 84 10 00 01 00 00 00 01 00 01 0A 62 72 61 .............bra
010 : 69 6E 6B 72 61 73 68 03 63 6F 6D 00 00 1C 00 01 inkrash.com.....
020 : C0 0C 00 06 00 01 00 00 01 2C 00 2C 03 6E 73 30 .........,.,.ns0
030 : 05 73 69 7A 7A 6F 03 6F 72 67 00 06 73 63 72 65 .sizzo.org..scre
040 : 65 6E C0 30 77 A1 2B C1 00 00 07 08 00 00 00 B4 en.0w.+.........
050 : 00 36 EE 80 00 00 01 2C 00 00 29 10 00 00 00 00 .6.....,..).....
060 : 00 00 00

Upon looking at these, I noticed they all use an "Additional records" field to list an EDNS0 option that looks legit according to the RFP, evn though I can't seem to see ANY other use of that type of entry in a "known good" packet. This is what that looks like:

Additional records
: type OPT
Name:
Type: OPT (EDNS0 option)
UDP payload size: 4096
Higher bits in extended RCODE: 0x0
EDNS0 version: 0
Z: 0x0
Data length: 0

So, I'm thinking that by looking for the signature 00:00:29:10:00:00:00:00:00:00 in the last 10 bytes, it might be a fast-flux...

Posted by mykol_j on March 19, 2008 04:55:28

Pffttt! Spoke to soon...

Looking at a larger sample of known-good DNS traffic -- and seeing it more often... Crud, thougth I was onto something.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.