Don't like ads? PRO users don't see any ads ;-)
Public Pastes
Guest

Untitled

By: a guest on May 6th, 2012  |  syntax: None  |  size: 1.88 KB  |  hits: 14  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Building a bpf to look for authoritative answers from a dns server.
  2.  
  3. We know that a udp packet is 8 bytes long, so the payload exists at offset 8.
  4.  
  5. The DNS header looks like this:
  6.  
  7. 16 bit identifier
  8. 1 bit identifier stating whether the packet is a question or answer
  9. 4 bit query field that states the type of message
  10. 1 bit signifying whether the query is authoritative or not
  11.  
  12. This is all we need to know to facilitate the bpf.
  13.  
  14. we have a minimum of 8 bits to look at
  15.  
  16. 00000000
  17. 10000100 <-- the ones represent what we want to look at
  18.  
  19. 10000100 == 0x84
  20. udp[10:1] & 0x84 == 0x84
  21.  
  22. easy enough, now lets only look at authoritative nxdomain's
  23.  
  24.  
  25. now we need to know
  26. 16 bit id
  27. 1 bit qa
  28. 4 bit type
  29. 1 bit auth
  30. 1 bit trunc
  31. 1 bit recurs
  32.  
  33. 1 bit recurs avail
  34. 3 bit reserved
  35. 4 bit rcode
  36.  
  37. rcode (response codes) values:
  38. 0 No error condition.
  39. 1 Unable to interpret query due to format error.
  40. 2 Unable to process due to server failure.
  41. 3 Name in query does not exist.
  42. 4 Type of query not supported.
  43. 5 Query refused.
  44.  
  45. udp[10:1] & 0x84 == 0x84 && udp[11:1] & 0xf == 3
  46.  
  47. This created 14 bytecode instructions. Can we optimize more?
  48.  
  49. sure we can look at 2 bytes instead of one
  50.  
  51. udp[10:2] & 0x840f == 0x8403
  52.  
  53. essentially we want to only look at the bits that we are interested in
  54. 1000 0100 0000 0011
  55.  
  56. but we have to AND along the last 4 bits all set
  57. 1000 0100 0000 1111
  58.  
  59. then look for the value of
  60. 1000 0100 0000 0011 = 0x8403
  61.  
  62. This results in 11 instructions, 3 less than previous
  63.  
  64. A lot of the time our bpf compiler will do special operations
  65. to skip over any type of IP options that could be present, lets
  66. try to do our filter above to skip over these instructions.
  67.  
  68. Yeah, we would get funked data if there were ip options present,
  69. but in most cases these won't even exist.  
  70.  
  71. ether[23:1] == 0x11 && ether[44:2] & 0x840f == 0x8403
  72.  
  73. this results in 6 instructions! 8 less than what we started with. We sacrifice
  74. edge cases for performance
create a new version of this paste RAW Paste Data