Hi ,
I am a new Bro user. Recently, I observer a new way to launch a IPv6 address scanning. For instance, a attacker sends a IPv6 reverse DNS lookup query to a target DNS server and extracts a IPv6 record from the reverse DNS zone.
The DNS query looks like:
0.0.0.0.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa
1.0.0.0.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa
2.0.0.0.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa
0.2.0.0.0.0.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa
I try to use Bro to detect this kinds of attack. But when I use main.bro to read my trace file, I can’t extract the DNS query? I looked the dns_request event and added some debug messages in this routine. Again, I can’t see the ip6.arpa query print out.
To detect this attack, I have to extract the DNS query and compare with the previous query. Is that possible to extract the DNS query by using some existing functions? Do you have any suggestion?
Many thanks for your attention to this matter. Have a nice day.
Kind regards,
Steven