DNS AAAA Record Attacksby J. Edward Durrett
Detecting DNS Command and Control / Linux / FreeBSD
As simple as that, I am running commands on a remote machine with out being logged
in or creating and major noise.
How to Detect
On the sever side, this is easy to very difficult depending on the role. A web
server for example should not be sending out many DNS queries, and the ones it does
send out (for APIs, etc) can be narrowed down and white listed. But on a network as
a whole, it becomes tougher.
The first thing, is that nothing should be asking name servers on the internet
directly so we can log all DNS queries. A slight modification of the command in
read.sh can decode the hex in the DNS log files and then parsed for strings like
'/etc/passwd.' But, that is problematic, as the script could be modified the put
spaces between each character like ' / e / t / c / p a s s w d.' In addition, an
attacker could also wrap the output in openssl before converting it to hex, so
decoding hex and searching for strings is harder to do.
The next thought I had is to look at the log and parse get stats on how many
queries are coming from each host:
!0.3.1.41 is the target, so we do see higher queries. But, I have been command and
controlling it all day. So, I rotated the log and started again. I asked for the
output for uname -a and checked the number of queries:
sed -e 's/#.*//g' query.log|sort -n| uniq -c
19 client 10.3.1.3
15 client 10.3.1.41
As you can see, after just a few minutes, my target has made less DNS queries than
the other machine on my test network. So, this method of detection is inadequate.
As you can see, The bad queries are just a blip in the logs (I cut out many, many
lines between 8 queries and 40). And this is just a few minutes on a test network,
just imagine how little this shows up on a network even a small office network.
So, I turned to the target to see what I could find out there. It is running system
accounting, and that actually shows me some rather unusual activity. The target is
running FreeBSD, and the Linux commands are slightly different, but it is the same
concept (eg drill vs. dig).
Wow, that jed user sure is having fun with the drill command. Now I have gotten to
a point where I can look into it more. So I looked at the times of the commands,
and what that user was doing at that time, 15:51:
This is what it looks like with just the uname command I sent. Fetching the
/etc/passwd file produces this:
From this, I can see a pattern for detection. If drill is greater than 5 and awk,
cut and xxd are all called in the same minute, there is a compromise. With that it
is possible to write a rule for an IDS like OSSEC to file an alert. And by
narrowing town the time of these few packets leaving the network, I can inspect the
DNS logs and attempt to decode even obfuscated hex.
On production Web or Mail servers, drill (or dig) is never called during normal
operation. They are useful tools, though, and I can image cases where they might
be used to trouble shoot DNS issues, but in production that should be rare.
Furthermore, that a regular user in an Accounting or Marketing department should
not be using drill and dig and with appropriate policy in place, that can be
System accounting exists on the major flavors of *NIX (Mac OS X, Linux, BSD,
Solaris, etc) and can be used to detect AAAA record attacks. I don't see an easy
way to detect/block this activity on the network (using snort, rate limiting DNS,
etc) in general. However, limiting or eliminating outside DNS access for routers,
printers, and other devices isn't a bad idea.
Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.
Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.