Thursday, September 13, 2007

Blocking Port 53 TCP

I just read Experimental Storm Worm DNS Blocklist at SANS. The result of such a scheme looks something like this:

richard@neely:~$ host basic1.threatstop.com
;; Truncated, retrying in TCP mode.
basic1.threatstop.com has address 221.208.208.28
basic1.threatstop.com has address 221.208.208.27
basic1.threatstop.com has address 221.208.208.26
basic1.threatstop.com has address 221.208.208.25
basic1.threatstop.com has address 221.208.208.24
basic1.threatstop.com has address 221.208.208.23
basic1.threatstop.com has address 221.208.208.22
basic1.threatstop.com has address 221.208.208.21
basic1.threatstop.com has address 221.208.208.20
basic1.threatstop.com has address 221.208.208.19
basic1.threatstop.com has address 221.208.208.18
basic1.threatstop.com has address 221.208.208.17
basic1.threatstop.com has address 221.208.208.16
basic1.threatstop.com has address 221.208.208.15
basic1.threatstop.com has address 221.208.208.14
basic1.threatstop.com has address 221.208.208.13
basic1.threatstop.com has address 221.208.208.12
basic1.threatstop.com has address 221.208.208.11
basic1.threatstop.com has address 221.208.208.10
basic1.threatstop.com has address 221.208.208.9
basic1.threatstop.com has address 221.208.208.8
basic1.threatstop.com has address 221.208.208.7
basic1.threatstop.com has address 221.208.208.6
basic1.threatstop.com has address 221.208.208.5
basic1.threatstop.com has address 221.208.208.4
basic1.threatstop.com has address 221.208.208.3
basic1.threatstop.com has address 221.208.208.2
basic1.threatstop.com has address 221.208.208.1
basic1.threatstop.com has address 221.208.208.0

These IPs are supposed to be Storm Trojan infected hosts.

As soon as I saw that many records I knew TCP would be involved -- not UDP. Sure enough:



Basically, because so many records are returned, TCP is used. If you maintain a policy that blocks all port 53 TCP traffic because you heard that in a class somewhere, you might not be able to resolve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se IPs. I wrote about this in my first book when I provided case studies on normal, suspicious, and malicious traffic using port 53 UDP and TCP.

7 comments:

X-Istence said...

;; Truncated, retrying in TCP mode.

Should have been a great hint :P

Unknown said...

Tom Byrnes, CTO and founder of ThreatSTOP here.

Yes, we have to use TCP because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list size. However, you only have to allow outbound requests from your firewall or nameserver, not any inbound, so that should not present any security risk to your infrastructure.

For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paranoid, you can sign up for our service, which is free and will provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same lists even when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re isn't a net-emergency. We use a private secure DNS running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest BIND 9 stable.

Richard Bejtlich said...

bert jw,

I knew it was going to be TCP before I even looked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic. Does that make you happy?

Tom,

Your service is cool -- I was just commenting because I have seen sites who hear "block 53 TCP!" and end up blocking it everywhere, in and out, without thought of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consequences.

Marcin said...

Reminds me of those sites/people who block ICMP because it can be used for tracert or God forbid, ping of death!

X-Istence said...

Richard:

I had no doubts about that. I just found it funny you decided to point it out with a screencap of Wireshark.

Anyone that is blocking TCP port 53 outbound should not be allowed to administrate a firewall since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y apparently have no clue how any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protocols cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are using work.

Anonymous said...

DNS Servers ONLY should be left for TCP/53 connects for zone transfers. Good Security practice is DENY any any eq 53 UDP/TCP -- EXCEPT for your primary & secondary DNS servers.

Richard Bejtlich said...

Anonymous, do you even know what I am talking about with respect to legitimate, non-zone-transfer DNS over TCP?