监控出站DNS连接 防范Conficker蠕虫

Monitor your outbound DNS connections
监控出站DNS连接

Author: Paul Mah
作者：Paul Mah

翻译：endurer 2009-04-08第1版

Category: Infrastructure, security
分类：基础设施，安全

Tags: DHCP, Monitor, Network, DNS, Trojan Horse, Server, Domain Names, Networking, Spyware, Spyware, Adware & Malware
标签：DHCP，监视，网络，DNS，特洛伊木马，服务器，域名，间谍软件，广告软件和恶意软件

英文出处:http://blogs.techrepublic.com.com/networking/?p=1279&tag=nl.e102

Consider monitoring or filtering outbound DNS connections to better protect your network against certain phishing attacks and a new breed of trojans that masquerades as DHCP servers.

考虑监测或过滤出站DNS连接，以便更好地保护您的网络，对抗某些钓鱼攻击和一种新的伪装成DHCP服务器的特洛伊木马。

---

Johannes Ullrich, who is the CTO of the SANS Internet Storm Center, wrote recently on what appears to be a new rash of malware that attempts to directly threaten network services. Once a host has been infected, this trojan sets up a rogue DHCP server on the host machine. Because DHCP works on a broadcast mechanism in which the response supplied by the first server will be used by a querying client, it is possible for workstations renewing their DHCP lease to be tricked into utilizing the IP address of a malicious domain name server.

Johannes Ullrich是美国系统网络安全协会（SysAdmin, Audit, Network, Security，SANS）互联网风暴中心（Internet Storm Center）的首席技术官，最近写到一种新出现的恶意程序，这种程序试图直接威胁网络服务。这个木马程序一旦感染主机，就在主机上建立了一个流氓DHCP服务器。由于DHCP采用广播机制，在这种机制中，第一台服务器提供的响应将被提出查询的客户机采用，延长工作站的DHCP租期，将它们哄骗到利用恶意域名服务器的IP地址是可能的。

《endurer注：1、trick sb. into doing：哄骗某人做》

This is not the first time that such a trojan has appeared though. Indeed, this appears to be a variant of the Trojan.Flush.M, but it is modified to be harder to detect — it does not specify any DNS domain name and sets a relatively short DHCP lease time of one hour, among other changes.

这不是此类木马第一次出现了。事实上，这似乎是Trojan.Flush.M（http://www.google.cn/search?hl=zh-CN&q=Trojan.Flush.M&btnG=Google+%E6%90%9C%E7%B4%A2&meta=&aq=f&oq=）的一个变种，但被改得更难侦测到-此外，它没有指定任何DNS域名，并设置了为时一个小时的相对较短的DHCP租期。

The bottom line here is that it is relatively trivial for a single infected machine to undermine DHCP to corrupt the DNS settings of all workstations on the network, assuming that they are not configured with static IPs.

这儿的底线是，一台单一的被感染计算机破坏DHCP，进而腐化所有网络上的工作站的DNS设置，假如它们没有配置静态IP地址，将会比较麻烦。

《endurer注：1、bottom line：末行数字,结果》

So how can one defend against this trojan as well as similar attacks?

因此，怎样能抵御此木马以及类似的攻击？

Static IPs
静态IP地址

The simplest way to defend against such trojans would surely be to hardwire the DNS settings for every workstation on the network. However, such a solution is impractical for networks larger than even a couple of dozen nodes at the most. Indeed, the increasing use of wireless networks in the enterprise — as well as laptops — serves only as additional deterrents due to the inconvenience of static settings in such circumstances.

防范此类木马的最简单方法是为网络中的每个工作站作硬性DNS设置。然而，对超过24个节点的网络，这样一种解决办法在大多数情况下是不切实际的。事实上，无线网络-以及笔记本电脑-在企业中越来越多地使用，静态设置只能是累赘，因为在这种情况下不便作静态设置。

《endurer注：1、a couple of：两个，几个
2、A couple of dozen prints were rolled off in no time.一下子就印好了几十张图片。
though most people are aware of only a couple of dozen of their names 虽然大部分的人只知道廿几个名称，
3、at the most：至多(表超过)》

Outbound DNS
出站DNS连接

A simpler way for larger corporations to defend against the vulnerability exposed by this trojan would be to monitor outbound DNS connections. This could mean logging down all DNS queries — which is also useful to track down suspicious traffic trends from phishing attacks. Of course, such a drastic measure comes with its own bag of user and possible managerial resistance due to its invasive nature.

较大企业防范此木马所暴露的弱点的更简单的方法上是监测出站DNS连接。这可能意味着记录所有DNS查询-这对从钓鱼式攻击追捕可疑流量趋势也是有益的。当然，这样一个重大措施会背上大量用户的包袱，并可能因具有侵犯性而引发管理抵制。

《endurer注：1、log down：退出系统》

An even cleaner method would be to configure an internal DNS server tasked with all domain name queries. All other DNS queries not originating from this machine are to be barred. If the resources are not available to set up an internal DNS server, more sophisticated firewalls can be used to filter only DNS queries to addresses that are not in an approved list.

一个更明晰的方法是配置一个内部DNS服务器来负责所有的域名查询。所有不是这台机器源生其他DNS查询将被禁止。如果资源不具备设立一个内部DNS服务器，更复杂的防火墙可用于过滤不属于已核准清单地址中的DNS查询。

In the meantime, you might want to run a quick check that the IP of the malicious DNS server — at 64.86.133.51 and 63.243.173.162 – are not currently being queried on your network.

在此期间，您可能要在网络上执行一个快速检查，确定恶意DNS服务器IP地址——在64.86.133.51和63.243.173.162 ——目前没有被查询。

《endurer注：1、In the meantime：当时(同时,在两件事之间)》

Paul Mah is an independent tech writer, covering a range of topics from enterprise IT to mobile technology. Several times a week, he also indulges in teaching IT-related topics at a local polytechnic. You can reach him via his contact page at TechatPlay.com.