English Forums > Intrusion Detection and Prevention

Suricata useless against DNS Attacks?

(1/4) > >>

guest24551:
Hello Everyone!     

Here a short Network description
 
      Internet
            :
            : Cable - Vodafone Germany
            :
      .-----+-----.
      |  Gateway  |  Fritz-Box Cable Router
      '-----+-----'
            |
        WAN | 192.168.2.65 Opnsense DHCP
            |
      .-----+------. 
      |  OPNsense
      '-----+------'   
            |
        LAN | 192.168.1.1/24
            |
      .-----+------.
      | LAN-Client | Debian
      '-----+------'
Opnsense:         
Domain: home.local
Unbound acts as resolver and has DNS over TLS with DNSSEC enabled (DNSSEC is still not funtioning properly)
I also use DNSBL with a blacklist URL.
OpenDNS, Maltrail, Suricata, Sunnyvalley are up too.
I downloaded, activated and enabled "drop" on all rules in Suricata.

WAN: DHCP IPv4+IPv6
LAN: Static

Debian Client:
I've just freshly installed debian after the first attack to get sure, nothing survived. To make sure my notebook stays safe after install, I started using firejail and firefox. But I wonder if that really helped though.

-----------------------------------------------------------------------------------

I am currently developing a secure home Network and I realised some weeks/months ago, some attacks that primarily happen on src: 192.168.2.65 with port 53 with dst: ports: >1024.
It was the 2nd time an attack like that happens. It always began with receiving malicious udp port 53 pakets from ipify (Source was ipify.org:443) and after some days the attacks grew in size, speed and numbers from various sources.

Yesterday after starting my Debian Client, I noticed malicious events on Maltrail. I also checked logs in Suricata and saw that at the same time events have been logged there too. Both reported that an API from ipify.org is sending some UDP Packages. Suricata reported a huge block from ETPRO POLICY Observed SSL Cert.
however it seemed like it was scanning and after a short while one after another came to penetrate my firewall until they breached. I sniffed the WAN and LAN interface via promicious mode in opnsense and I also tracked live all udp port 53 packages via tcpdump on the WAN interface. When they breached the whole console grew rapidly and spammed my window with lots of requests to amazonws and some other unwanted URL's. I unplugged the WAN Interface and downloaded my sniffed package.

I didn't had the time to fully analyze the capture with wireshark, but it was pretty clear, that something bad happened. I saw huge packages with lots of crypted messages and a lot traffic between several adresses. Having large crypted dns packages on port 53 is no good sign ...

So here I am now, wonderin what could have gone wrong and asking what can I do to prevent such an attack? The 1st time I got hacked, they proxy'd the GUI from my ubiquite edgeswitch max with a dns rebinding attack. To that time, I already had DNS Rebinding Protection enabled. Unfortunately opnsense warned me after and not before changing DNS back to default on my switch. The fake DNS Server was pointing to some tor .xyz adresses.
I tried to block or secure Port 53, but that didn't work well, because DNS stopped working. No matter what kind of How To/Guide I followed.

I feel like the Internet is kinda fooling me in terms of open DNS ports. Some say you have to open it, others say, you have to take care, but no one clearly tells you how you open and secure it.
Have you guys any idea on how to safely implement a secure DNS Solution and a good protection against attacks like these?
I am still a noob in terms of IT-Security, but I learn step by step...

Any help here is well appreciated.
Thanks forward!

Here my Suricata Log:


--- Code: ---2020-07-08T23:10:00 suricata[38610]: [100658] <Notice> -- all 3 packet processing threads, 4 management threads initialized, engine started.
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop smb any any -> $DC_SERVERS 445 (msg: "ATTACK AD [PTsecurity] Possible MS-RPRN abuse. Hash or Ticket theft"; flow: to_server, established, no_stream; content:"SMB"; offset: 5; depth: 3; content: "|05 00 00|"; distance: 0; content: "|41 00|"; distance: 19; within: 2; content: "|00 01 00 00|"; distance: 36; within: 4; content: "|5C 00 5C 00|"; fast_pattern; distance: 0; flowbits: isset, DCERPC.BIND.SPOOLSS; reference: url, posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; classtype: attempted-recon; sid: 10004153; rev: 1;)" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 273
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DC_SERVERS" is not defined in configuration file
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !$DC_SERVERS any -> $DC_SERVERS 389 (msg: "ATTACK [PTsecurity] DCShadow: Fake DC Creation"; flow: established, to_server; content: "|68 84 00|"; content: "CN="; distance: 5; within: 3; content: "CN=Servers,CN="; distance: 0; content: ",CN=Sites,CN=Configuration,DC="; distance: 0; content: "objectClass"; distance: 0; content: "server"; distance: 0; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10002559; rev: 2; )" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 215
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DC_SERVERS" is not defined in configuration file
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC"; flow: established, to_server, no_stream; content: "|05 00 00 03|"; depth: 4; content: "|05 00|"; distance: 18; within: 2; flowbits: isset, RPC.Bind.DRSUAPI; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10002558; rev: 1; )" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 213
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DC_SERVERS" is not defined in configuration file
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt"; flow: established, to_server; content: "|05 00 0B|"; depth: 3; content: "|35 42 51 E3 06 4B D1 11 AB 04 00 C0 4F C2 DC D2|"; distance: 0; flowbits: set, RPC.Bind.DRSUAPI; flowbits: noalert; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10002557; rev: 2; )" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 211
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DC_SERVERS" is not defined in configuration file
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $DC_SERVERS 88 (msg: "ATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5"; flow: no_stream, established, to_server; content: "|A1 03 02 01 05 A2 03 02 01 0A|"; offset: 12; depth: 10; content: "|A1 03 02 01 02|"; distance: 5; within: 6; content: "|A0 03 02 01 17|"; distance: 6; within: 6; content: "krbtgt"; distance: 0; xbits: set, Krb5.AsReq, track ip_src, expire: 10; classtype: attempted-user; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10002228; rev: 1; )" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 171
2020-07-08T23:06:58 suricata[38610]: [100658] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DC_SERVERS" is not defined in configuration file
2020-07-08T23:05:51 suricata: [100658] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-07-08T23:05:51 suricata: [100526] <Notice> -- This is Suricata version 4.1.8 RELEASE
2020-07-08T23:05:51 suricata[83153]: [100201] <Notice> -- Stats for 'igb0+': pkts: 91822, drop: 5207 (5.67%), invalid chksum: 0
2020-07-08T23:05:51 suricata[83153]: [100201] <Notice> -- Stats for 'igb0': pkts: 142974, drop: 0 (0.00%), invalid chksum: 0
2020-07-08T23:05:50 suricata[83153]: [100201] <Notice> -- Signal Received. Stopping engine.
2020-07-08T22:56:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 54.225.66.103:443 -> 192.168.2.65:28014
2020-07-08T22:56:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 54.225.66.103:443 -> 192.168.2.65:44941
2020-07-08T22:46:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 174.129.214.20:443 -> 192.168.2.65:43728
2020-07-08T22:46:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 174.129.214.20:443 -> 192.168.2.65:51898
2020-07-08T22:36:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 23.21.213.140:443 -> 192.168.2.65:27449
2020-07-08T22:36:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 23.21.213.140:443 -> 192.168.2.65:29040
2020-07-08T22:26:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 184.73.165.106:443 -> 192.168.2.65:25054
2020-07-08T22:26:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 184.73.165.106:443 -> 192.168.2.65:55965
2020-07-08T22:16:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 174.129.214.20:443 -> 192.168.2.65:9766
2020-07-08T22:16:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 174.129.214.20:443 -> 192.168.2.65:63278
2020-07-08T22:06:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 54.225.66.103:443 -> 192.168.2.65:24312
2020-07-08T22:06:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 54.225.66.103:443 -> 192.168.2.65:8201
2020-07-08T21:56:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 107.22.251.25:443 -> 192.168.2.65:37805
2020-07-08T21:56:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 107.22.251.25:443 -> 192.168.2.65:10832
2020-07-08T21:46:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 107.22.188.116:443 -> 192.168.2.65:42865
2020-07-08T21:46:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 107.22.188.116:443 -> 192.168.2.65:51207
2020-07-08T21:36:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 107.22.188.116:443 -> 192.168.2.65:13562
2020-07-08T21:36:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 107.22.188.116:443 -> 192.168.2.65:33944
2020-07-08T21:26:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 174.129.255.253:443 -> 192.168.2.65:62216
2020-07-08T21:26:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 174.129.255.253:443 -> 192.168.2.65:57836
2020-07-08T21:16:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 54.221.234.156:443 -> 192.168.2.65:13134
2020-07-08T21:16:01 suricata[83153]: [Drop] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 54.221.234.156:443 -> 192.168.2.65:3524
--- End code ---

chemlud:

--- Quote ---I feel like the Internet is kinda fooling me in terms of open DNS ports. Some say you have to open it,
--- End quote ---

Why would one open port 53, why would one open ANY port on WAN? Who proposes to open port 53 on WAN?

guest24551:
For example: https://serverfault.com/questions/476240/can-i-safely-close-port-53
But like I said, closing the port on WAN or making a rule to make it somewhat safer, didn't work even by having DoT 853 enabled. It almost seems like OpenDNS is still communicating over that port and since I am using it as DNS Filter, I thought that'd be ok!?

guest24551:
I have to mention that I didn't opened the port manually. It seems to be enabled by default, since I have no rule that is explicitly allowing port 53 in any direction.

mimugmail:
Can you just upload the packet capture? As your WAN is a private IP it's highly highly highly unusual that you got hacked. Also without windows internally where you could have malware on .. highly unusual, and if yes, I'd guess you wouldn't be able to detect it.

Also, Sensei and Suricata on same system .. this doesn't work. Just upload the capture and put some logs here, for now you only put some guessings :)

Navigation

[0] Message Index

[#] Next page

Go to full version