5/21/2023 0 Comments Wireshark dns analysis![]() ![]() ![]() Following one seems to indicate that the best form of detection requires determining the encoding algorithm, and then somehow filtering or looking for that. I found a great wiki link describing the DGA behavior, and some other articles that got very deep really quick. It's really a miracle that I stumbled over them at all, as upon reflection I don't know how you'd otherwise screen for or detect this activity. Tedious to review by drilling into each packet, and hard to isolate from the rest of normal DNS activity. I had created a DNS hostname columun that helped make them jump out in the packet list, as these strange failed DNS names weren't evident in any kind of summary view, just in the packet details. I thought the referrence was to DNS Fast Fluxing, but after googling around I found security articles for DGA that actually were a better matching description for the observed behavior. I had read something in one of my Wireshark Kindle books in a DNS section about how this could be possible malware activity. We temporarily blocked the VDI subnet (the majority of the activity), and then saw additional sources for the requests. I moved my observation point to the source subnet and checked again, identified a subnet used for VDI systems to support offshore resources, and then saw additional DNS servers and other hosts requesting similar bogus names. From my first observation subnet, they were recursed from other DNS servers. ![]() They came three at a time, a few nanosecs apart, at variable times throughout the day. They used the domain suffix for my organization, but the first part of the domain name appeared to be gibberish. I had been troubleshooting a problem at work reported as slow DNS response, started looking through packet details, and was digging into failed DNS recursive queries when I saw other failed queries that were very strange. This is my second question to the forum, and it's a little different in the sense that I don't know that posting the capture file will help - at least here. ![]()
0 Comments
Leave a Reply. |