Netgate SG-1000 microFirewall

Author Topic: PROTOCOL-DNS DNS query amplification attempt - now hosting TOR traffic  (Read 179 times)

0 Members and 1 Guest are viewing this topic.

Offline armaclaren

  • Newbie
  • *
  • Posts: 4
  • Karma: +1/-0
    • View Profile
To whom it may concern,

I thought I would reach out to the community for some help on a potential issue. The other day I saw the following error in my firewall log that was blocked by SNORT.

PROTOCOL-DNS DNS query amplification attempt
 
I did some google research and was concerned, but didnt find much on this issue. I did however, find a website about how to setup PFsense to block DNS requests in case of potential malware:

https://www.doyler.net/security-not-included/pfsense-block-dns-requests-no-malware

What caught my attention was at the time; I was setting up a new PFsense appliance that was behind my current firewall (Iím kind of paranoid like that, keeping a safe environment until the new one is 100% setup).

The new PFsense appliance was still waiting to download the Emerging Threats Open Rule set when SNORT made mention in the new PFsense appliance logs, that it had blocked a mal-formed packet. After that. Nothing, everything was just quiet. Just the occasional PROTOCOL-DNS DNS query amplification attempt in the logs.

Today I was going through my PFsense logs on my main appliance and it looks like the new appliance I am setting up; after blocking that mal-formed packet is now routing TOR traffic (on port 123).
 
Clearly my network has been compromised. But what Iím concerned about is the new appliance and how after a mal-formed packet, itís now routing TOR traffic. Has anyone seen this before?

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: PROTOCOL-DNS DNS query amplification attempt - now hosting TOR traffic
« Reply #1 on: January 22, 2018, 01:29:59 am »

I did some google research and was concerned, but didnt find much on this issue. I did however, find a website about how to setup PFsense to block DNS requests in case of potential malware:

https://www.doyler.net/security-not-included/pfsense-block-dns-requests-no-malware
That site explains how to block DNS requests from devices on LAN to external DNS name servers. The enforce the usage of pfSense as a DNS.
This has nothing to do with stopping malware. malware often hard-codes IP addresses so no need to a DNS lookup anyway.


......
Today I was going through my PFsense logs on my main appliance and it looks like the new appliance I am setting up; after blocking that mal-formed packet is now routing TOR traffic (on port 123).
 Clearly my network has been compromised. But what Iím concerned about is the new appliance and how after a mal-formed packet, itís now routing TOR traffic. Has anyone seen this before?
So, what have you hook up behind these pfSense installations ? When you remove all devices, the alerts stops, right ? Clean your devices and you'll be fine.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15188
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: PROTOCOL-DNS DNS query amplification attempt - now hosting TOR traffic
« Reply #2 on: January 22, 2018, 05:40:28 am »
Also let me point out that snort can produce a shit ton of false positives!!!

You need to fully understand what your viewing when snort says xyz..And you should really validate that its actually bad and not just false positive...  Could be simple dns query and ntp query happening..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
Re: PROTOCOL-DNS DNS query amplification attempt - now hosting TOR traffic
« Reply #3 on: January 22, 2018, 09:34:10 am »
People would now appear to be hosting NTP servers on TOR exit nodes, I've seen it myself as I enable emerging-tor.rules

https://forum.pfsense.org/index.php?topic=103222.msg576506#msg576506

What does the alert read, x.x.x.x out your personal address ?

2018-01-19,13:51:10,Alert,pfsense,auth,snort,[1:2523263:3211] ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 632 [Classification: Misc Attack] [Priority: 2] {UDP} 95.211.224.12:123 -> x.x.x.x:35404

I just use the following:- 

0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
« Last Edit: January 22, 2018, 09:45:03 am by NogBadTheBad »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15188
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: PROTOCOL-DNS DNS query amplification attempt - now hosting TOR traffic
« Reply #4 on: January 22, 2018, 09:50:28 am »
Yeah you can see for sure that IP is part of the ntp pool.

http://www.pool.ntp.org/scores/95.211.224.12
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: PROTOCOL-DNS DNS query amplification attempt - now hosting TOR traffic
« Reply #5 on: January 22, 2018, 11:08:40 am »
Yeah you can see for sure that IP is part of the ntp pool.

http://www.pool.ntp.org/scores/95.211.224.12

Yeah...that's my biggest gripe with a lot of the blacklist type of IP lists.  They mix up the good guys and the bad guys sometimes, and it is frequently difficult to get mistakes fixed.

Bill