Odd DNS replies from 10 nets and RFC1323 impacting firewalls

Published: 2012-05-15
Last Updated: 2012-05-16 01:21:08 UTC
by Dan Goldberg (Version: 6)
7 comment(s)

 Reader Bob wrote in reporting seeing increasingly frequent incoming DNS replies on UDP 53, with valid DNS answers, but coming from source addresses in the 10.x.x.x/8 range. The responses appear to be from the Internet Roots to DNS servers that are querying the root.

Anyone else see this kind of behavior?


Over the past week another couple of readers have written in reporting issues accessing the ISC web page. The SANS NOC reports that RFC-1323 timestamps were getting scrubbed by our firewall to prevent information disclosure, but the checksum wasn't being updated.  The packet was subsequently dropped by the end device.

This appears to be impacting users using Bluecoat web proxies. We will have more to post on this topic throughout the day.


 

RFC1323 describes TCP extensions used to improve performance over high delay networks and high speed networks
These include Scaled Window Options, Round Trip Time Measurement (RTTM), and protection against Wrapped Sequence Numbers (PAWS)

Scaled window options are implemented by bit shifting the 16bit window field into a 32 bit field by adding an option indicating how many placeholders to shift (or multiply by) to get the real window size. Recall the window size is how many bytes a node can buffer before it needs the transmitter to slow down.

TCPDump displays this option as WS=6 for a factor of 6 in the TCP options

Wireshark displays this option as for example: “Window Scale: 7 (Multiply by 128)”

Round Trip Time Measurement (RTTM), or TCP option 8 contains a Timestamp value or TSval set by the sender with its sending time, a 32 bit value, and Timestamp Echo Reply (TSecr) which is only valid if the accompanying ACK TCP flag is set. This 32 bit value echos a time stamp value set by the other or remote host in a TCP session. These values are tracked over time to estimate and adapt to changing traffic conditions.

PAWS provide a simple mechanism to reject old duplicate segments that might corrupt an open TCP connection. It uses the same timestamps in RTTM, The basic idea is that a segment can be discarded as an old duplicate if it is received with a timestamp less than some timestamp recently received on this   connection.

Here is what Bluecoat has to say on the topic: https://kb.bluecoat.com/index?page=content&id=FAQ1006

PAWS is looking for the timestamp to be advancing and is used to keep as much data in transit as possible between communicating hosts.

The risk to data transport in this case is if two hosts or their intermediaries can’t negotiate a common  method of communicating with or without these options. This can happen with firewalls, as in our case,  or  incompatible endpoints. It is interesting to note that Windows implemented these options in   Windows 2000, but did not enable them by default until Windows 2008.

Dan
SANS Internet Storm Center Handler

Update:
----------------------------------------------------------
Some References I used to look into this today:

 

The RFC: http://www.ietf.org/rfc/rfc1323.txt
http://www.networksorcery.com/enp/protocol/tcp/option008.htm
http://packetlife.net/blog/2010/aug/4/tcp-windows-and-window-scaling/
http://www.ecr6.ohio-state.edu/window-scaling.html
technet.microsoft.com/en-us/library/bb726965.aspx
technet.microsoft.com/en-us/library/bb878127.aspx

 

This is by no means an exhaustive article on this topic, it is just a beginning, I will look to other handlers to fill in the gaps as well as look into it more as time goes on. 


Another discussion that is pertinent is IP options versus TCP options. Staying in IPV4 land for this discussion
As the names state IP options and padding are in the Internet Protocol header of a packet, they are the last 32 bits in the Internet protocol (v4) header and TCP options are contained within the TCP header.

Using the following page as a reference: http://www.networksorcery.com/enp/protocol/ip.htm#Options. IP options deliver a handful of IP features that in general are not used. Most IPv4 headers begin with version (4 in this case) and the IHL the header length in 32 bit words or 5 as the minimum and default. If options are set then that number varies depending on the options set. For the most part these options are not used, IP options include features like source routing which could permit undesirable results. Each option is described in detail on the reference page above.

TCP options are more central to the operation of the protocol the IP options are. IP options add optional features, where as TCP options make the protocol work. A list of TCP options is available here: http://www.networksorcery.com/enp/protocol/tcp.htm#Options Option 8 contains the windows scaling discussed above. Other options include Selective Acknowledgement (opts 4 and 5) and Option 3 Window Scale Factor (discussed above and in RFC1323. These options extend and enhance the TCP protocol operation.

In conclusion, both TCP and IP offer different options which can enhance the protocols. Understanding them can impact operability and availability of a network.

Keywords:
7 comment(s)
ISC StormCast for Tuesday, May 15th 2012 http://isc.sans.edu/podcastdetail.html?id=2533

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives