0

The hosting company of a client has shut down their Windows server twice in the past week because the server seems to be sending out massive amounts of outbound encrypted UDP DNS traffic.

I have now configured the firewall to block any incoming/outgoing traffic by default and only allowed the necessary ports. This should prevent the outgoing UDP traffic, but I still don't understand the underlying issue.

There is only a webserver (ASP.net website) and FTP server running on this server and so far I couldn't find any issues in the web application.

What are the attackers doing, are they DDoSing other servers? And how are they doing this, how to fix the root of this problem?

saxum
  • 11
  • 2
  • Where is the traffic going? Could be IPsec or some other VPN protocol. – Volker Mar 03 '20 at 10:45
  • China, Hong Kong, Venezuela, Thailand, ... Here is a list of the IP addresses the traffic was sent to: https://pastebin.com/JxbhPzmF – saxum Mar 03 '20 at 10:59
  • Can you tell which port was used in outbound connections? (DNS over UDP) – Rashad Novruzov Mar 03 '20 at 15:29
  • AFAIK there's no encrypted DNS over UDP protocol. IPSec only signs the replies, but the repy itself is in the clear, not encrypted. So it might just be UDP traffic outbound to port 53 to disguise the true nature of the traffic. Many people might just ignore port 53 UDP traffic because it "looks normal" – Steve Sether Mar 03 '20 at 15:49
  • Knowing the volume of the data, as well as seeing some of the packets themselves would tell you something. – Steve Sether Mar 03 '20 at 15:56
  • Thank you for your your comments. After some more investigation I am certain that my client's server is infected. The firewall rules I set earlier today are overruled by some shady rules with names such as "XBox Game UI" or "SmartScreen" that allow all incoming/outgoing traffic. My client said they got hacked in the past and migrated to a new server, I think they also migrated backdoors from the old server. – saxum Mar 03 '20 at 16:14
  • I am securing the server now as good as possible and advised them to do a proper migration to a fresh server asap without copying over any executable files. Here is a dump of some traffic that was sent, would be still interesting to know what exactly the attackers are doing: https://pastebin.com/PgBHARV2 – saxum Mar 03 '20 at 16:18
  • @SteveSether "AFAIK there's no encrypted DNS over UDP protocol." I disagree. See RFC8094 (DNS over DTLS) and current ongoing work to specify DNS over QUIC. – Patrick Mevzek Dec 04 '20 at 01:23

1 Answers1

0

This answer are being given taking in account the comments:

It seems that the attacker either using it as vpn hop server (more likely) or as data exfiltration (less likely, since I assume the target are not important)

The reason why I assume that this is most likely VPN over DNS hop server, is that at some point of time I've had to experience with one of my clients pretty close to the described scenario.

Rashad Novruzov
  • 658
  • 2
  • 13