What does the caret ("connection direction was flipped by Bro’s heuristic”) in a connections history mean? If the packet in question was spoofed (like the receiving end of a DNS amplification attack) would that trigger Bro’s heuristics?
Below are entries from dns, conn and weird logs for the same event for which I can’t find any indications that it sourced from my network. Additionally, there are no subsequent connection attempts to the IP contained the response packet.
Dns.log
1491285594.163321 CFXfdl4zMQrM2T15Wa 57555 194.9.69.193 53 udp 21705 - wfuvsrsrwb.www.91duofenxiang[.]com - - - - 0 NOERROR F F F T 0 193.58.251[.]1 60.000000 F
Conn.log
1491285594.163321 CFXfdl4zMQrM2T15Wa 57555 194.9.69.193 53 udp dns - - - SHR T ^d 0 0 1 94 (empty) PDC_NSM-4 US RU
Weird.log
1491285604.163437 CFXfdl4zMQrM2T15Wa 57555 194.9.69.193 53 dns_unmatched_msg - F PDC_NSM-4
Thanks,
-Dave
What does the caret ("connection direction was flipped by Bro’s heuristic”) in a connections history mean? If the packet in question was spoofed (like the receiving end of a DNS amplification attack) would that trigger Bro’s heuristics?
Yes..
Below are entries from dns, conn and weird logs for the same event for which I can’t find any indications that it sourced from my network. Additionally, there are no subsequent connection attempts to the IP contained the response packet.
Dns.log
1491285594.163321 CFXfdl4zMQrM2T15Wa <REDACTED> 57555 194.9.69.193 53 udp 21705 - wfuvsrsrwb.www.91duofenxiang[.]com - - - - 0 NOERROR F F F T 0 193.58.251[.]1 60.000000 F
Conn.log
1491285594.163321 CFXfdl4zMQrM2T15Wa <REDACTED> 57555 194.9.69.193 53 udp dns - - - SHR T ^d 0 0 1 94 (empty) PDC_NSM-4 US RU
Weird.log
1491285604.163437 CFXfdl4zMQrM2T15Wa <REDACTED> 57555 194.9.69.193 53 dns_unmatched_msg - F PDC_NSM-4
It definitely wasn't sourced from your network. You can see the numbers after the history field(^d) are:
orig_pkts=0
orig_ip_bytes=0
resp_pkts=1
resp_ip_bytes=94
which shows that bro saw that you sent 0 packets and received 1.
The issue is that you were sent a DNS response packet, which in a perfect world where carriers do proper ingress filtering would have only happened if you had sent the corresponding DNS query packet. Bro assumes it didn't see the query due to capture loss and sets up the orig/resp under that assumption.
Unfortunately this doesn't work so well for backscatter, especially when dealing with UDP protocols.
It's easy enough to filter out connections like this to another log file if you wanted, generally anything with a local address as a source and resp_pkts=1 and orig_pkts=0 is from backscatter.
I've looked into fixing this inside of Bro, but the code that handles this sort of thing is a bit complicated.