Skip to main content

DNS sinkhole & Analysis

What is DNS sinkhole?

A sinkhole is a standard DNS server that has been configured to hand out non-routable addresses for all domains in the sinkhole, so that every computer that uses it will fail to get access to the real website.
 The higher up the DNS server is, the more computers it will block. Some of the larger botnets have been made unusable by TLD sinkholes that span the entire Internet.
DNS Sinkholes are effective at detecting and blocking malicious traffic, and used to combat bots and other unwanted traffic.
A sinkhole does not need to be a large DNS server, it only needs to be in the DNS lookup chain. The local hosts file on a WindowsUnix or Linux computer is checked before DNS servers, and can also be used to block sites in the same way.
Example of Sinkhole Alert.

ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26
SRC: 195.22.26.248 DST:10.101.8.116 ET TROJAN AnubisNetworks Sinkhole SSL Cert lolcat - 195.22.26.192/26

Findings of Sinkhole Alert

The time stamps on the above alerts coincided with each other with time stamps. 
Alert #1 would appear first in Snort then 
Alert # 2 would appear. 

It was at this point I decided to run a packet capture with Wireshark on the DNS server since that was the only consistent IP address listed on the Snort logs. The Wireshark PCAP revealed the following raw data, (please note the PCAP from Snort revealed the same information). This data was being communicated over port 443.

Now upon first looking at the PCAP it appears to be a file named invalid.cab, which is incorrect. What is actually happening is the PC is using the domains of ns2.csof.net and ns1 for DNS resolution, and attempting to reach invalid.cab. For those who are not up to date .cab is a new top level domain, the same as .com or .net. Leveraging some very simple domain tools available on the internet I was able to get a list of all sites listed under ns2 & ns1. One of the sites listed was ***https:/****/invalid.cab***
We now have a portion of the mystery solved. The PC’s are attempting to access a website named
***https:/****/invalid.cab***, which is why we were seeing port 443 being the communication port. Generally the bad guys like to obfuscate what they are doing, so I am assuming that is why the site was being run over 443 with https. The next question is why are we seeing Anubis Network sinkhole in the IDS alert? Simple; Anubis Networks a security firm has taken control over the infected domain.
Any traffic destined for original malicious domain invalid.cab is being redirected to the safe domain at Anubis Networks, lucky for us! The next question; what is infected on our network? Our network is heavily segregated; subnet traversal is not an option for the PC’s. I had ruled out a worm like infection. We are currently running Sophos UTM, which was detecting no infections on the network.
We also have content filtering on all machines through Sophos. The content filter detected no machines attempting access to invalid.cab, which lead me to believe that a majority of the machines tripping the IDS were not actually infected. Next I looked at our Sophos UTM console for machines with policy issues. That is when I found it, a machine that was unable to update its policies. I immediately pulled the machine off of the network. The IDS alerts stopped immediately.
I am currently running Combofix on the suspect machine to pull a valid sample infection from the machine, to submit to Sophos. My suspicion is Sophos will already have the sample in their database, but due to the fact the machine could not push any policy updates is why the machine failed to detect anything, but I would rather be safe than sorry. While Google searching the DNS domains of ns1 & ns2 it appears the infection is related to a Zeus Trojan.
This leaves one final question, why were so many PC’s trying to access that domain. The only conclusion I could draw is the infected machine was somehow attempting to poison our DNS server DNS results. Our Snort IDS is new, which is actually part of the Security Onion IDS; I have currently been tuning Security Onion over the last month, and can clearly see the value of it. This leads me into my final point. Antivirus and Firewalls are not enough, your network no matter how small it is needs and IDS.
The IDS will give you a deep understanding of what is actually going on inside your network. Without the Security Onion IDS I would have never known about the Trojan inside my network. Luckily for us the Trojan domain had already been sinkholed, but what if it hadn’t and we didn’t have the IDS? A scenario like this could be absolutely disastrous to a network. The closes example to this type of scenario is a million dollar house with its doors unlocked in the bad part of town. An IDS will take lots of work, from setup, tuning, to monitoring, but anything worth doing is never easy.
I hope this article will prove useful and helpful to others.
Reference : https://community.spiceworks.com/topic/887257-very-confusing-ids-alert


Labels:

Comments

  1. Thamos LiamOctober 5, 2020 at 4:47 AM

    CHECK IT
    gmail helpline number uk
    gmail support number uk
    gmail toll free number uk
    gmail contact number uk

    ReplyDelete
  2. thomie joyDecember 27, 2020 at 8:58 PM

    This post is really impressive and every sentence is saying something new and filled with important information which you must have. I really

    appreciate the writing skill of the writer.Setup AOL Mail for Mac OS Mail | Add AOL Mail to Gmail immediately?

    ReplyDelete
  3. thomie joyJanuary 15, 2021 at 3:34 AM

    You should read this post if you are fond of gaining updated and important information. This post is really something different as every single sentence is written very carefullHow to check the storage on the Gmail app?

    ReplyDelete
  4. Thamos LiamFebruary 23, 2021 at 4:48 AM

    you can read more
    kaspersky helpline number uk

    ReplyDelete

Post a Comment

Popular posts from this blog

Analyze web attacks using SPLUNK and OSSEC

1. Get access.log /access combine logs from your webserver 2. Install splunk. 3. Download security onion and import the logs to security onion 4.  Go to terminal and type  cat [path of your webserver logs ]  | /var/ossec/bin/ossec-logtest -a >results.txt 5. Now you have to upload results.txt to SPlunk and create source type to parse logs 6. Splunk will not detect these logs once you upload there will be two time values in results.txt. 7. If BREAK_ONLY_BEFORE is not there in advance setting. Create a new setting and add. 8. Now once the logs are indexed you need to parse and the more important field is the rules that are triggered 9. Go to extract fields   and write regex to extract the rule trigerred 10 . Regex is (?<rule>(Rule)\:\s\d+\s\(\w+\s\d+\)\s\-\>\s\'\w+.+\.\'\s) including brackets               ?<rule> --- is the new field name you can change accor...
Post a Comment
Read more

How to parse Vertical/Multiple line logs using SPLUNK for investigations

Problem statement : Finding user who deleted mails from common mailbox such as info@example.com used by a team of people. We have Windows mailbox audit logs to Investigate.  From the above image you can notice that the each event starts with  the field"RunspaceId" You need to tell splunk the start of the event line and end of event line and also the timestamp. Regex for identification of timestamp  field : LastAccessed\s+\D\s Identifying start of event Pattern: Runspace Once the data is ingested we need to parse interesting fields. ^FolderPathName\s+\D\s+(?P<path>.??)$ here  ?? is the non-greedy qualifier. If you use +?  instead of ??  there will be inconsistencies in the result if the field is empty it will pick up the next field value. I am using +? for other fields because these fields cant be empty. Similarly you can parse other fields ^Operation\s+\D\s+(?P<Action>.+?)$ ^FolderPa...
Post a Comment
Read more