![]() *Note: IP’s have been randomised to ensure privacy. Youll find this challenge and the packet capture in Chapter 3 Exercise Files. Download Example PCAP of DNS Request Flood In this challenge, youll use Wireshark to examine DNS traffic. If you see a single source sending many such requests, it could be an attacker. Finally, to identify the response for a specific request or vice versa, use “dns.id = ”. Further more, to identify DNS packets specifically, the “dns” filter can be used. “Image 3: DNS Request Transaction ID”Īnalysis of the DNS Request Flood in Wireshark – FiltersĪs mentioned in the Technical Analysis, DNS uses the UDP protocol, so the very basic filter that can be used is “udp”. Depending on the request type the server may respond differently. There you can see that identifying the request-response pair can be done using the Transaction ID. ![]() ![]() Images 3 and 4 show the server’s response with the result of the query. “Image 2: The name, type and class of a DNS request” The Class will be IN (stands for internet) most of the time. Common ones are A which will retrieve the IP, MX which will retrieve the mail exchange servers IPs, etc. The type specifies the record to be fetched. It is a freeware tool that, once mastered, can provide valuable insight into your environment. Wireshark is a very useful tool for information security professionals and is thought of by many as the de facto standard in network packet and protocol analysis. The name is the fqdn name to retrieve the IP for. PCAP analysis basics with Wireshark updated 2021 Januby Graeme Messina. Image 2 highlights the UDP packet containing the query information, which consists of a name, a type, and a class. Technical AnalysisĪs seen in Image 1, a DNS request uses the UDP protocol with a destination port of 53. If DNS services are unavailable to legitimate users it can completely cripple most modern networks since FQDN names are used to provide most services. ![]() DNS Request flood is a DDoS attack which sends DNS request packets to a DNS server in an attempt to overwhelm the server’s ability to respond to legitimate DNS requests.
0 Comments
Leave a Reply. |