DNS Rebinding Signatures

These signatures were scheduled for deletion on October 10,
2007; I 
would like to find out why.

They seem to be useful signatures, is the reason that it is
difficult 
for end-users to identify external DNS? Were there a large
number of 
non-malicious resolutions that resolve internal addresses?
Or is there 
another reason?

A correction for 2006916 and 2006920, should anyone find
these useful is 
specifying the entire loopback address instead of just
127.0.0.1, should 
be 127.0.0.0/8.

Blake Hartstein



#alert udp $EXTERNAL_NET 53 -> $HOME_NET any
(msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
127.0.0.0/8 address (local IP from remote DNS Server)";
content: "|c0 0c 00 01 00 01|"; content: "|00
04 7f|"; within:3; distance:4;
reference:url,crypto.stanford.edu/dns/;
classtype:misc-attack; sid:2006916; rev:4;)
#alert tcp $EXTERNAL_NET 53 -> $HOME_NET any
(msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
127.0.0.0/8 address (local IP from remote DNS Server)";
flow:established,from_server; content: "|c0 0c 00 01 00
01|"; content: "|00 04 7f|"; within:3;
distance:4; reference:url,crypto.stanford.edu/dns/;
classtype:misc-attack; sid:2006920; rev:5;)

CVS 
http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/CU
RRENT_EVENTS/CURRENT_DNS_Rebinding?rev=1.11&view=log



_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

On Wed, 2007-10-31 at 12:06 -0400, Blake Hartstein wrote:
> These signatures were scheduled for deletion on October
10, 2007; I 
> would like to find out why.

> They seem to be useful signatures, is the reason that
it is difficult 
> for end-users to identify external DNS? Were there a
large number of 
> non-malicious resolutions that resolve internal
addresses? Or is there 
> another reason?

Can't comment on the exact reason, but there was a definite
issue with
non-malicious resolutions. RBLs are the big example here,
anyone with a
mailserver doing RBL checks would have been deluged with
hits on
127.x.x.x. The number of misconfigured systems out there
seemed
surprisingly large too.

-- 
 Robert Kerr
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

On Oct 31, 2007 9:43 AM, Robert Kerr <r.kerrcranfield.ac.uk> wrote:
>
> On Wed, 2007-10-31 at 12:06 -0400, Blake Hartstein
wrote:
> > These signatures were scheduled for deletion on
October 10, 2007; I
> > would like to find out why.
>
> > They seem to be useful signatures, is the reason
that it is difficult
> > for end-users to identify external DNS? Were there
a large number of
> > non-malicious resolutions that resolve internal
addresses? Or is there
> > another reason?
>
> Can't comment on the exact reason, but there was a
definite issue with
> non-malicious resolutions. RBLs are the big example
here, anyone with a
> mailserver doing RBL checks would have been deluged
with hits on
> 127.x.x.x.

Seems like something a bit of tuning (suppress/pass rules)
could take care of.

> The number of misconfigured systems out there seemed
> surprisingly large too.

People's ability to fsck up configurations of any kind is
astounding.
There is one relevant thing we've been trying to track with
these
sigs, although it's an older tactic. For DNS based C&C
channels, and
bot agents configured to check in at a set interval (every
minute say)
for command retrieval, it's been easy to pick up on them
because of
lots of regularly timed requests heading to the Internet. It
seemed to
be in an effort to control this, herders would set C&C
host addresses
of 127.0.0.1 in DNS while there was no new command to issue
and then
update the record to a valid host address when the client
was supposed
to connect in. This caused a sleeper cell situation where
the bot
would appear dormant until the record updated, but would be
easy to
clue in on when seeing 127.0.0.1 come back in a DNS response
from the
outside.

As far as the rebinding sigs / attack goes, have browsers
and active
media plugins nowadays been fixed enough to rectify the
threat?

-- 
Darren Spruell
phatbuckettgmail.com
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

Yes, Robert is on the right track. We had reports of massive
falses on
the localhost ones especially. On the others as well but to
a lesser degree.

Basically, it seemed they were too much risk of falses in
return for a
pretty unlikely to be exploited issue. But if anyone sees
value in them
I can gladly keep them in the ruleset but disabled by
default.

Matt

Robert Kerr wrote:
> On Wed, 2007-10-31 at 12:06 -0400, Blake Hartstein
wrote:
>> These signatures were scheduled for deletion on
October 10, 2007; I 
>> would like to find out why.
> 
>> They seem to be useful signatures, is the reason
that it is difficult 
>> for end-users to identify external DNS? Were there
a large number of 
>> non-malicious resolutions that resolve internal
addresses? Or is there 
>> another reason?
> 
> Can't comment on the exact reason, but there was a
definite issue with
> non-malicious resolutions. RBLs are the big example
here, anyone with a
> mailserver doing RBL checks would have been deluged
with hits on
> 127.x.x.x. The number of misconfigured systems out
there seemed
> surprisingly large too.
> 

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs