Dns tunneling is, especially, popular in the Chinese territory, in order to bypass the locally applied censorship & government monitoring... actually, every way to disguise & bypass is very popular in china :)
I've seen plenty of backdoors tunneling traffic via DNS. It's an old, and not so sophisticated method of bypassing IPS/IDS systems. Or proxied/firewalled networks. As UDP53 remains open in more than 98% of all times. If you want a small demo of how to tunnel traffic over 53, query on dns2tcp. there's also a way to tunnel traffic using ICMP...
@lockhoodlum hey thanks for the info! Yes, most people don't egress filter dns out of their network. Unless you mean as a listening service rather then a reverse shell?
@Sarnuial that seems like a good call, it does seem like a ddos attack considering they all seem to be coordinated and start at the same time. For the record 53 is dns, 137 is netbios. Looks like someone port scanned this network and then tried to dos it. Unsophisticated attack methodology but they had access to a botnet and that makes someone dangerous regardless.
Def. Arkowitz, are they using the standard ports for most common protocals like DNS, NetBIOS, etc? Double check that before you assume, if they were doing things correctly they should be switching things up. But you the single packet on the higher port numbers was scanning for that(unusual port usage), just simple pings for responses. Then when they are getting a response signaling there is a daemon listening on that port they are attempting to authenticate or learn more on how to.
Second. Are the IP's that are hiting each port in sequence varying, in other words is it the same IP, or different ones. If it is the same, that firewall may need some security beefing, it should recognize repeated requests like that, then temp ban or block that IP. If it is varying the person knows what they are doing better. That would help determine how good they are too. Either way this person is feeling out your network for a way in, not good.
Looks to me like an attempted ping flood. That would explain the non-port-based ICMP packets, and, as someone else commented on the other video, the countries that the traffic seems to be coming from have high Windows piracy rates, which would imply botnets, making this a DDoS.
Still, I know fairly little about all this and could be miles off. I'll be interested to see what the final consensus is!
Dns tunneling is, especially, popular in the Chinese territory, in order to bypass the locally applied censorship & government monitoring... actually, every way to disguise & bypass is very popular in china :)
LockHoodlum 2 years ago
I've seen plenty of backdoors tunneling traffic via DNS. It's an old, and not so sophisticated method of bypassing IPS/IDS systems. Or proxied/firewalled networks. As UDP53 remains open in more than 98% of all times. If you want a small demo of how to tunnel traffic over 53, query on dns2tcp. there's also a way to tunnel traffic using ICMP...
LockHoodlum 2 years ago 2
@lockhoodlum hey thanks for the info! Yes, most people don't egress filter dns out of their network. Unless you mean as a listening service rather then a reverse shell?
ethosflux 2 years ago
@Sarnuial that seems like a good call, it does seem like a ddos attack considering they all seem to be coordinated and start at the same time. For the record 53 is dns, 137 is netbios. Looks like someone port scanned this network and then tried to dos it. Unsophisticated attack methodology but they had access to a botnet and that makes someone dangerous regardless.
ethosflux 2 years ago 2
@ethosflux
Def. Arkowitz, are they using the standard ports for most common protocals like DNS, NetBIOS, etc? Double check that before you assume, if they were doing things correctly they should be switching things up. But you the single packet on the higher port numbers was scanning for that(unusual port usage), just simple pings for responses. Then when they are getting a response signaling there is a daemon listening on that port they are attempting to authenticate or learn more on how to.
trepidity23 2 years ago
@trepidity23
Second. Are the IP's that are hiting each port in sequence varying, in other words is it the same IP, or different ones. If it is the same, that firewall may need some security beefing, it should recognize repeated requests like that, then temp ban or block that IP. If it is varying the person knows what they are doing better. That would help determine how good they are too. Either way this person is feeling out your network for a way in, not good.
trepidity23 2 years ago
Port 53 is usually DNS.
Looks to me like an attempted ping flood. That would explain the non-port-based ICMP packets, and, as someone else commented on the other video, the countries that the traffic seems to be coming from have high Windows piracy rates, which would imply botnets, making this a DDoS.
Still, I know fairly little about all this and could be miles off. I'll be interested to see what the final consensus is!
Sarnuial 2 years ago