Contribute Open Script

UDP Payload Inspection_DNS malicious attack protection

by sosman on ‎03-08-2012 11:43 AM (1,851 Views)

TESTED with ADX : Yes

Discription :

Protection against known malicious  DNS attack

US Cert Vulnerability :

  • Vulnerability Note VU#725188
  • ISC BIND 9 vulnerable to denial of service via dynamic update request
  • Overview
  • ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition.

Details :

  • Create  script to unpack/ pack  UDP Payload to inspect the following flag  to protect against dns attack :
  • opcode  : dynamic update ( 5)
  • script will unpack the UDP payload and will print out the  binary bits and will parse to the 18 th bit and capture the next 4 bits.
  • if the string  is equal to 0101 then forward to group 30
  • else ( the value is anything else ) then forward to group 40

Limitations : None

Required Information: No special configuraiton on ADX is required

Script Source Code :

use OS_UDP;
use OS_SLB;
use OS_IP;

sub UDP_CLIENT_DATA{
           $payload = OS_UDP:Smiley Tongueayload;
            print "# $payload\r\n";

           $mydata = unpack( "b*", $payload);
            print "## $mydata\r\n";

           $mystring  = substr ($mydata, 18, 4);
           print "### $mystring\r\n";
            if ($mystring == "0101" ) {
                OS_SLB::forward("30");
            } else {
                OS_SLB::forward("40");
            }
}

Comments
by Derek_Kang
on ‎03-08-2012 02:04 PM

Awesome!