spoofed.org

The best example that I could quickly come up with is DNS requests in relation to requests for the results of those DNS requests. As an example, the normal traffic pattern for HTTP requests is to first do a lookup for the DNS A record of the host you are interested in, which will be followed shortly thereafter by a request to port 80/tcp on one of the IP addresses returned from the previous query. For basically any type of traffic, you can say that the ratio of DNS requests for a given A record to the number of requests to the results of that A record is a function of DNS TTL, client-side caching, and phase of the moon. This basically means that you really can't make any assumptions about hosts in the middle of the traffic spectrum, but those on the extreme ends are almost certainly of interest.

Use HTTP as an example. Those hosts whose DNS request to HTTP traffic ratio for a given A record are roughly the same are probably not of interest. For those that have a very high DNS request to HTTP request ratio could indicate:

• Faulty DNS setup, or broken caching


• Host is actually a monitoring system of sorts (especially if you consider PTR lookups as relative to traffic to that IP)

Hosts that have a very low DNS requests to HTTP request ratio could indicate:

• Hardcoding of A records in /etc/hosts or equivalent


• Use of a rogue DNS server


• Accessing of a host by IP address, which, IMO, is always suspicious

There is a body of knowledge out there already that touches on this subject to some extent. For example, it is fairly well known that it is a bad idea to configure your monitoring system (IDS, syslog monitoring, event correlation, etc) to do automatic or even semi-automatic A or PTR record lookups. The primary reason for this is performance, but it could also be a good tip to an attacker that some sort of analysis is going on. Say, for example, that I attack example.com from spoofed.org, which current has a forward DNS (A record) entry of 66.92.51.226. If example.com has some sort of monitoring system that in some way does a reverse DNS (PTR) record lookup against 66.92.51.226, or against spoofed.org, that is a good indication to me that someone may be on to me.

Thinking about other statistical relation anomalies that could proove interesting, I came up with:

• Inbound SSH connections as related to seemingly related outbound traffic in a given timeframe. A high ratio could typically indicate a bastion/jump host or a shellserver of sorts, but those that have a lower ratio could indicate a compromised SSH server.


• Inbound HTTP requests as relative to outbound SMTP connections. In a timeframe where the ratio is highly skewed, you could say that all is normal. After all, your average HTTP server should rarely initiate outbound SMTP. However, if the ratio approaches 1:1 during a given timeframe, especially when the number of inbound HTTP clients is small as compared to the number of SMTP desitnations, you should start to examine what services that HTTP server is exposing -- I'd suspect a rogue formail.pl or a busted 'email a friend / contact us' script.

These sorts of questions could easily be answered given the right front-end or database to something like sancp. There are probably a number of canned reports that could be run and give useful results regardless of the environment, but otherwise it could act as the a tool for finding "hosts of interest" in the right hands.