[dns-operations] All Too Quiet?

David Dagon dagon at cc.gatech.edu
Wed Jul 30 17:53:27 UTC 2008 

On Wed, Jul 30, 2008 at 01:18:24PM +0100, Richard Westlake wrote:

>  How do you tell if an apparent attack is a researcher, mischief maker or 
>  fraudster?

Here are some rules of thumb:

  -- The source address of an attack will be the (spoofed) authority
     server.  The source address of a researcher will not be an
     authority server.  You can dig @${SUSPECT_IP}, and see basic
     authority behavior.  In many cases (but not all) researchers will
     not have a responder.

  -- The source address of an attack may (but in my case, cannot) have
     an appropriate reverse DNS.

  -- The host sending you suspect packs will (in my case) have a
     webserver, offering HTML 3.2 non-js content, information, phone
     numbers, email addresses, and a mechansim to remove your network
     from all future probes.  This is the minimum I think rfc 1262
     suggests; however, it seems that reverse is your only chance.

  -- The researcher will, after an appropriate learning time,
     respect your ICMP 'host not reachable' (3,3) messages, and
     no longer send you probes.  An attacker might well respect
     these quicker, and move on to victims that will receive
     such traffic.   (This is an artifact of how the researcher
     and attacker pick dst IPs.  The researcher has an (aging)
     list of DNS talkers, and covers much of the Internet;
     the attack has selected a single IP in most cases).

  -- The attacker will send you answers (spoofed from the authority,
     and with an update to the authority), and only only a few queries
     to tickle your DNS initiator into asking a question, or to check
     your cache for evidence of success.  The researcher will send you
     queries, not answers.

  -- In some cases, the researcher will send you a query for a
     domain that suggests it is a test/research-related domain.
     E.g., they may ask:

      A?   HASH(IP,time,nonce).dns-study.example.com

     The attacker could of course do the same, but in the
     early phase of things that seems unlikely.   A researcher
     will have valid whois entries and contact information
     for the domain; the attacker will not.

There are more things to look for, but as a researcher trying to not
look like an attacker, this is what I know from the school of hard
knocks.

-- 
David Dagon              /"\                          "When cryptography
dagon at cc.gatech.edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."

More information about the dns-operations mailing list