ICMP Tunnel and DNS UDP amplifier (DDoS)

20 views

Skip to first unread message

Alexandre Berto Nogueira

unread,

Apr 18, 2018, 7:58:24 AM4/18/18

to Hogzilla Users

We're looking at the Hogzilla ICMP Tunnel notes. However I believe that a tunnel is characterized by a source and a destination with large packet size. Alerts are based on large packages but with multiple destinations. I think it's a false positive.

In the case of DNS amplifier was alerted but checking with the server is valid interactive queries from other servers but with responses of considerable size. In an amplification attack, I believe it is better characterized by one or two origins but with a large number of packets per second. Since packets are normally forged for an attack on a specific victim.

143.106.x.y: 53 <?> 35.202.181.29:34614 (UDP, L-to-R: 1.1MB, R-to-L: 0B, 7 pkts, duration: 21325s, sampling: 1/512)

143.106.x.y: 53 <?> 177.124.108.195:26590 (UDP, L-to-R: 761.0KB, R-to-L: 0 B, 1 pkts, duration: 0s, sampling: 1/512)

143.106.x.y: 53 <?> 66.220.156.48:46741 (UDP, L-to-R: 304.5KB, R-to-L: 0 B, 1 pkts, duration: 0s, sampling: 1/512)

143.106.x.y: 53 <?> 74.125.47.129:39723 (UDP, L-to-R: 304.5KB, R-to-L: 0 B, 1 pkts, duration: 0s, sampling: 1/512)

143.106.x.y: 53 <?> 186.215.155.242:38992 (UDP, L-to-R: 267.0KB, R-to-L: 0 B, 1 pkts, duration: 0s, sampling: 1/512)

143.106.x.y: 53 <?> 177.124.108.195:12958 (UDP, L-to-R: 263.0KB, R-to-L: 0B, 1 pkts, duration: 0s, sampling: 1/512)

Paulo Angelo

unread,

Apr 18, 2018, 6:21:12 PM4/18/18

to Alexandre Berto Nogueira, Hogzilla Users

Hi Alexandre,

Thank you for the contributions. Follow below some comments.

DNS tunnels

The rule was matching flows in which the sum of bytes on both directions are over a threshold (up+down > threshold).

Following your suggestion, I already changed to match flows in which there is bytes on both directions separately (up > threshold AND down > threshold).

DNS amplifier

I included a threshold ("UDPAmplifier.minPktsPerFlow" in the conf file) for the expected number of packets per flow for matching.

regards,

--
You received this message because you are subscribed to the Google Groups "Hogzilla Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hogzilla+unsubscribe@googlegroups.com.
To post to this group, send email to hogz...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hogzilla/ffc3b32a-0296-45aa-b5b4-5a517c8c73e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages