Kamis, 13 September 2007

Blocking Port 53 TCP

I just read Experimental Storm Worm DNS Blocklist at SANS. The result of such a scheme looks something like this:


richard@neely:~$ host basic1.threatstop.com
;; Truncated, retrying in TCP mode.
basic1.threatstop.com has address 221.208.208.28
basic1.threatstop.com has address 221.208.208.27
basic1.threatstop.com has address 221.208.208.26
basic1.threatstop.com has address 221.208.208.25
basic1.threatstop.com has address 221.208.208.24
basic1.threatstop.com has address 221.208.208.23
basic1.threatstop.com has address 221.208.208.22
basic1.threatstop.com has address 221.208.208.21
basic1.threatstop.com has address 221.208.208.20
basic1.threatstop.com has address 221.208.208.19
basic1.threatstop.com has address 221.208.208.18
basic1.threatstop.com has address 221.208.208.17
basic1.threatstop.com has address 221.208.208.16
basic1.threatstop.com has address 221.208.208.15
basic1.threatstop.com has address 221.208.208.14
basic1.threatstop.com has address 221.208.208.13
basic1.threatstop.com has address 221.208.208.12
basic1.threatstop.com has address 221.208.208.11
basic1.threatstop.com has address 221.208.208.10
basic1.threatstop.com has address 221.208.208.9
basic1.threatstop.com has address 221.208.208.8
basic1.threatstop.com has address 221.208.208.7
basic1.threatstop.com has address 221.208.208.6
basic1.threatstop.com has address 221.208.208.5
basic1.threatstop.com has address 221.208.208.4
basic1.threatstop.com has address 221.208.208.3
basic1.threatstop.com has address 221.208.208.2
basic1.threatstop.com has address 221.208.208.1
basic1.threatstop.com has address 221.208.208.0

These IPs are supposed to be Storm Trojan infected hosts.

As soon as I saw that many records I knew TCP would be involved -- not UDP. Sure enough:



Basically, because so many records are returned, TCP is used. If you maintain a policy that blocks all port 53 TCP traffic because you heard that in a class somewhere, you might not be able to resolve these IPs. I wrote about this in my first book when I provided case studies on normal, suspicious, and malicious traffic using port 53 UDP and TCP.

0 komentar:

Posting Komentar