aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dns: detect case of request flooding

Browse Source 
In the case where DNS requests are sent over the same flow w/o a
reply being received, we now set an event in the flow and refuse
to add more transactions to the state. This protects the DNS
handling from getting overloaded slowing down everything.

A new option to configure this behaviour was added:

app-layer:
  protocols:
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
       request-flood: 750

The request-flood parameter can be 0 (disabling this feature) or a
positive integer. It defaults to 500.

This means that if 500 unreplied requests are seen in a row an event
is set. Rule 2240007 was added to dns-events.rules to match on this.
pull/625/merge
Victor Julien 12 years ago
parent c1b9f0e1f4
commit 61cdd9be6b
6 changed files with 78 additions and 25 deletions
Show Stats Download Patch File Download Diff File

2
rules/dns-events.rules
Unescape Escape View File

@ -9,3 +9,5 @@ alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server;
alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;) alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;)
# Z flag (reserved) not 0 # Z flag (reserved) not 0
alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;) alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)
# Request Flood Detected
alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)

33
src/app-layer-dns-common.c
Unescape Escape View File

@ -28,12 +28,26 @@
#include "util-print.h" #include "util-print.h"
#endif #endif
typedef struct DNSConfig_ {
uint32_t request_flood;
} DNSConfig;
static DNSConfig dns_config;
void DNSConfigInit(void) {
memset(&dns_config, 0x00, sizeof(dns_config));
}
void DNSConfigSetRequestFlood(uint32_t value) {
dns_config.request_flood = value;
}
SCEnumCharMap dns_decoder_event_table[ ] = { SCEnumCharMap dns_decoder_event_table[ ] = {
{ "UNSOLLICITED_RESPONSE", DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE, }, { "UNSOLLICITED_RESPONSE", DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE, },
{ "MALFORMED_DATA", DNS_DECODER_EVENT_MALFORMED_DATA, }, { "MALFORMED_DATA", DNS_DECODER_EVENT_MALFORMED_DATA, },
{ "NOT_A_REQUEST", DNS_DECODER_EVENT_NOT_A_REQUEST, }, { "NOT_A_REQUEST", DNS_DECODER_EVENT_NOT_A_REQUEST, },
{ "NOT_A_RESPONSE", DNS_DECODER_EVENT_NOT_A_RESPONSE, }, { "NOT_A_RESPONSE", DNS_DECODER_EVENT_NOT_A_RESPONSE, },
{ "Z_FLAG_SET", DNS_DECODER_EVENT_Z_FLAG_SET, }, { "Z_FLAG_SET", DNS_DECODER_EVENT_Z_FLAG_SET, },
{ "FLOODED", DNS_DECODER_EVENT_FLOODED, },
{ NULL, -1 }, { NULL, -1 },
}; };
@ -312,8 +326,21 @@ bad_data:
void DNSStoreQueryInState(DNSState *dns_state, const uint8_t *fqdn, const uint16_t fqdn_len, void DNSStoreQueryInState(DNSState *dns_state, const uint8_t *fqdn, const uint16_t fqdn_len,
const uint16_t type, const uint16_t class, const uint16_t tx_id) const uint16_t type, const uint16_t class, const uint16_t tx_id)
{ {
if (dns_state->curr != NULL && dns_state->curr->replied == 0) /* flood protection */
if (dns_state->givenup)
return;
if (dns_state->curr != NULL && dns_state->curr->replied == 0) {
dns_state->curr->reply_lost = 1; dns_state->curr->reply_lost = 1;
dns_state->unreplied_cnt++;
/* check flood limit */
if (dns_config.request_flood != 0 &&
dns_state->unreplied_cnt > dns_config.request_flood) {
DNSSetEvent(dns_state, DNS_DECODER_EVENT_FLOODED);
dns_state->givenup = 1;
}
}
DNSTransaction *tx = DNSTransactionFindByTxId(dns_state, tx_id); DNSTransaction *tx = DNSTransactionFindByTxId(dns_state, tx_id);
if (tx == NULL) { if (tx == NULL) {
@ -353,7 +380,6 @@ void DNSStoreAnswerInState(DNSState *dns_state, const int rtype, const uint8_t *
TAILQ_INSERT_TAIL(&dns_state->tx_list, tx, next); TAILQ_INSERT_TAIL(&dns_state->tx_list, tx, next);
dns_state->curr = tx; dns_state->curr = tx;
tx->tx_num = dns_state->transaction_max; tx->tx_num = dns_state->transaction_max;
} }
DNSAnswerEntry *q = SCMalloc(sizeof(DNSAnswerEntry) + fqdn_len + data_len); DNSAnswerEntry *q = SCMalloc(sizeof(DNSAnswerEntry) + fqdn_len + data_len);
@ -381,6 +407,9 @@ void DNSStoreAnswerInState(DNSState *dns_state, const int rtype, const uint8_t *
/* mark tx is as replied so we can log it */ /* mark tx is as replied so we can log it */
tx->replied = 1; tx->replied = 1;
/* reset unreplied counter */
dns_state->unreplied_cnt = 0;
} }
/** \internal /** \internal

8
src/app-layer-dns-common.h
Unescape Escape View File

@ -56,6 +56,7 @@ enum {
DNS_DECODER_EVENT_NOT_A_REQUEST, DNS_DECODER_EVENT_NOT_A_REQUEST,
DNS_DECODER_EVENT_NOT_A_RESPONSE, DNS_DECODER_EVENT_NOT_A_RESPONSE,
DNS_DECODER_EVENT_Z_FLAG_SET, DNS_DECODER_EVENT_Z_FLAG_SET,
DNS_DECODER_EVENT_FLOODED,
}; };
/** \brief DNS packet header */ /** \brief DNS packet header */
@ -143,7 +144,9 @@ typedef struct DNSState_ {
TAILQ_HEAD(, DNSTransaction_) tx_list; /**< transaction list */ TAILQ_HEAD(, DNSTransaction_) tx_list; /**< transaction list */
DNSTransaction *curr; /**< ptr to current tx */ DNSTransaction *curr; /**< ptr to current tx */
uint64_t transaction_max; uint64_t transaction_max;
uint32_t unreplied_cnt; /**< number of unreplied requests in a row */
uint16_t events; uint16_t events;
uint16_t givenup;
/* used by TCP only */ /* used by TCP only */
uint16_t offset; uint16_t offset;
@ -151,6 +154,11 @@ typedef struct DNSState_ {
uint8_t *buffer; uint8_t *buffer;
} DNSState; } DNSState;
#define DNS_CONFIG_DEFAULT_REQUEST_FLOOD 500
void DNSConfigInit(void);
void DNSConfigSetRequestFlood(uint32_t value);
void RegisterDNSParsers(void); void RegisterDNSParsers(void);
void DNSParserTests(void); void DNSParserTests(void);
void DNSParserRegisterTests(void); void DNSParserRegisterTests(void);

16
src/app-layer-dns-tcp.c
Unescape Escape View File

@ -359,11 +359,12 @@ static int DNSReponseParseData(Flow *f, DNSState *dns_state, const uint8_t *inpu
DNSTransaction *tx = NULL; DNSTransaction *tx = NULL;
int found = 0; int found = 0;
TAILQ_FOREACH(tx, &dns_state->tx_list, next) { if ((tx = DNSTransactionFindByTxId(dns_state, ntohs(dns_header->tx_id))) != NULL)
if (tx->tx_id == ntohs(dns_header->tx_id)) { found = 1;
found = 1;
break; if (!found) {
} SCLogDebug("DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE");
DNSSetEvent(dns_state, DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE);
} }
uint16_t q; uint16_t q;
@ -439,11 +440,6 @@ static int DNSReponseParseData(Flow *f, DNSState *dns_state, const uint8_t *inpu
} }
} }
if (!found) {
SCLogDebug("DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE");
DNSSetEvent(dns_state, DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE);
}
SCReturnInt(1); SCReturnInt(1);
bad_data: bad_data:
insufficient_data: insufficient_data:

43
src/app-layer-dns-udp.c
Unescape Escape View File

@ -23,6 +23,9 @@
#include "suricata-common.h" #include "suricata-common.h"
#include "suricata.h" #include "suricata.h"
#include "conf.h"
#include "util-misc.h"
#include "debug.h" #include "debug.h"
#include "decode.h" #include "decode.h"
@ -179,12 +182,14 @@ static int DNSUDPResponseParse(Flow *f, void *dstate,
DNSTransaction *tx = NULL; DNSTransaction *tx = NULL;
int found = 0; int found = 0;
TAILQ_FOREACH(tx, &dns_state->tx_list, next) { if ((tx = DNSTransactionFindByTxId(dns_state, ntohs(dns_header->tx_id))) != NULL)
if (tx->tx_id == ntohs(dns_header->tx_id)) { found = 1;
found = 1;
break; if (!found) {
} SCLogDebug("DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE");
DNSSetEvent(dns_state, DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE);
} }
if (DNSValidateResponseHeader(dns_state, dns_header) < 0) if (DNSValidateResponseHeader(dns_state, dns_header) < 0)
goto bad_data; goto bad_data;
@ -269,17 +274,12 @@ static int DNSUDPResponseParse(Flow *f, void *dstate,
if (ntohs(dns_header->flags) & 0x0003) { if (ntohs(dns_header->flags) & 0x0003) {
SCLogDebug("no such name"); SCLogDebug("no such name");
if (dns_state->curr != NULL) { if (tx != NULL) {
dns_state->curr->no_such_name = 1; tx->no_such_name = 1;
} }
} }
if (!found) { SCReturnInt(1);
SCLogDebug("DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE");
DNSSetEvent(dns_state, DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE);
}
SCReturnInt(1);
bad_data: bad_data:
insufficient_data: insufficient_data:
@ -300,6 +300,21 @@ static uint16_t DNSUdpProbingParser(uint8_t *input, uint32_t ilen, uint32_t *off
return ALPROTO_DNS_UDP; return ALPROTO_DNS_UDP;
} }
static void DNSUDPConfigure(void) {
uint32_t request_flood = DNS_CONFIG_DEFAULT_REQUEST_FLOOD;
ConfNode *p = ConfGetNode("app-layer.protocols.dnsudp.request-flood");
if (p != NULL) {
uint32_t value;
if (ParseSizeStringU32(p->val, &value) < 0) {
SCLogError(SC_ERR_DNS_CONFIG, "invalid value for request-flood %s", p->val);
} else {
request_flood = value;
}
}
SCLogInfo("DNS request flood protection level: %u", request_flood);
DNSConfigSetRequestFlood(request_flood);
}
void RegisterDNSUDPParsers(void) { void RegisterDNSUDPParsers(void) {
char *proto_name = "dnsudp"; char *proto_name = "dnsudp";
@ -349,6 +364,8 @@ void RegisterDNSUDPParsers(void) {
DNSGetAlstateProgressCompletionStatus); DNSGetAlstateProgressCompletionStatus);
DNSAppLayerRegisterGetEventInfo(ALPROTO_DNS_UDP); DNSAppLayerRegisterGetEventInfo(ALPROTO_DNS_UDP);
DNSUDPConfigure();
} else { } else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection" SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name); "still on.", proto_name);

1
src/util-error.h
Unescape Escape View File

@ -268,6 +268,7 @@ typedef enum {
SC_WARN_XFF_INVALID_MODE, SC_WARN_XFF_INVALID_MODE,
SC_WARN_XFF_INVALID_HEADER, SC_WARN_XFF_INVALID_HEADER,
SC_ERR_THRESHOLD_SETUP, SC_ERR_THRESHOLD_SETUP,
SC_ERR_DNS_CONFIG,
} SCError; } SCError;
const char *SCErrorToString(SCError); const char *SCErrorToString(SCError);

Write Preview
Loading…
Cancel
Save