topic Re: Conficker DNS Request Question in General Topics

Conficker DNS Request Question

jhickey — Thu, 14 Apr 2011 19:59:05 GMT

So we have some conficker infections here where I work. The problem is that the PA sits at the edge, so all I see are Conficker DNS Requests that get proxied through our internal DNS Server to the Internet. I guess there is no way that PA can see what IP the original request came from ?

Any creative thoughts on how to do this ? What I've been doing is starting traces on the DNS Servers and looking for the sources manually. It's a pain. I have ports open. Should I mirror the DNS Server Ports ?

Thanks,

Justin

Re: Conficker DNS Request Question

skrall — Thu, 14 Apr 2011 21:18:22 GMT

Do you have any unused ports on the PaloAlto? You could set up a vwire (2 ports) and insert this between the switch and the DNS Proxy. Then you would have the source IP of the machine making the request. One other option would be to configure a mirror port on the switch and configure a single port on the PA as a tap-mode. This will generate alerts but can not block or drop malicious packets.

Steve Krall

Re: Conficker DNS Request Question

jhickey — Fri, 15 Apr 2011 12:12:50 GMT

Thanks Steve,

I kind of figured that. I almost wish there was a small agent piece, or a Wireshark filter that could just tell me the sources by monitoring traffic on the machine. I might be able to author one. Getting a mirror port set up where I work could take a while.

I appreciate your reply,

Justin