nDPI icon indicating copy to clipboard operation
nDPI copied to clipboard

Published 20 hours ago verified publisher icon ntop

Detect DNS Fast Flux

Open simonemainardi opened this issue 5 years ago • 3 comments

See if an heuristic can be implemented to detect DNS Fast Flux. An example heuristic is described at https://osqa-ask.wireshark.org/questions/18394/help-with-filters-for-detecting-fast-flux-in-dns-queries

simonemainardi avatar Mar 27 '19 09:03 simonemainardi

Wondering if this could just be implemented as a flow risk.

simonemainardi avatar Aug 25 '21 10:08 simonemainardi

~~Seems possible to me. We probably just need to implement a risk based on this tshark filter:~~ ~~'dns.flags.response == 1' -R 'dns.qry.type == 0x0001' -R 'dns.count.answers >= 1'~~

~~It could also be implemented as protocol detection routine (or set a a risk additionally) which is a subprotocol of DNS.~~

After a first investigation: FF is more sophisticated then a simple tshark filter. ;)

utoni avatar Oct 06 '21 11:10 utoni

In my oppinion there are two possibilities for implementing such feature. But both may not be suited for the core library.

~1. For every DNS request/response, let nDPI do it's own DNS lookup and verify the responses of the dissected one. This approach consumes less memory but requires more CPU and Network usage. It may also not very effective against FastFlux and result in false negatives.~ 2. Cache every IP from a DNS response together with the requested hostname and check for frequent changes in requested hostnames and responded IPs. This approach consumes (much) more memory but requires less CPU (if done right) and Network usage.

I think there is an architectural decision to make, if and how nDPI should deal with such things.

utoni avatar Oct 26 '21 09:10 utoni