Bug #2827
closedDNS Golden Transaction ID - detection bypass (4.0.x)
Description
Hello, team!
I've found an interesting problem in DNS protocol related to Transaction ID header field
I made a signature:
alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, DDNS"; \
content:"|04|ddns|03|net|00|"; \
classtype:trojan-activity; \
sid:1; rev:1;)
Please, find a pcap dump in attached archive: 23_6594.pcap
It contains only one packet extracted from a public sandbox.
A signature doesn't match!
I investigated this case a bit and found that for a specific range of Transaction ID values (0x6000, 0x6001, ..., 0x6010, ... 0x6594, 0x6595 and maybe more) detection still absent.
But if we choose something like 0x5FFF as example - detection will be.
I tried some another domain (as example, which is longer on 1 symbol) - and for previous Transaction ID values detection appears.
So, seems that some kind of Transaction ID influence happened.
I made a following game:
- I've generated 65536 different pcaps for a domain in 23_6594.pcap with all possible Transaction ID values
- I've scanned them all... and found one more magic Transaction ID value: 0x0400. More than that:
- pcap with Transaction ID = 0x03FF - detected (23_03FF.pcap)
- pcap with Transaction ID = 0x0400 - not detected (23_0400.pcap)
- pcap with Transaction ID = 0x0401 - detected (23_0401.pcap) - Then I've reduced an original domain length, generated 65535 pcaps, scanned them... and found the same magic ID: 0x0400. And:
- pcap with Transaction ID = 0x03FF - detected (22_03FF.pcap)
- pcap with Transaction ID = 0x0400 - not detected (22_0400.pcap)
- pcap with Transaction ID = 0x0401 - detected (22_0401.pcap) - Then I've increased an original domain length, again generated 65535 pcaps, again scanned them... and again :) found the same magic ID: 0x0400. And:
- pcap with Transaction ID = 0x03FF - detected (24_03FF.pcap)
- pcap with Transaction ID = 0x0400 - not detected (24_0400.pcap)
- pcap with Transaction ID = 0x0401 - detected (24_0401.pcap)
Finally I just made the nslookup of "suricata-ids.org" domain (suricata.original.pcap). Fortunately, the Transaction ID was small and I reproduced a detection with following rule:
alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, suricata"; \
content:"suricata"; \
classtype:trojan-activity; \
sid:2; rev:1;)
Than I changed the Transaction ID to 0x4000 - no detection (suricata.0400.pcap)
I changed it to 0x4001 - detection appears again (suricata.0401.pcap)
I've tested the 0x4000 magic Transaction ID with different domains (DGA - situation is the same)
Seems that we have a reliable approach to perform an information transport via the DNS tunneling without detection in DNS protocol
Could you confirm that?
Thank you
Sincerely yours, Alexey Vishnyakov
Files
Updated by Victor Julien almost 6 years ago
- Copied from Security #2736: DNS Golden Transaction ID - detection bypass added
Updated by Victor Julien almost 6 years ago
- Status changed from Assigned to Closed