Parsing a massive DNS PCAP file efficiently

The problem statement Say you have a 30GB PCAP full of DNS data, and you want to analyse unusual activity on it. To make things simple, let’s see how long it’ll take to find a list of IPs that have accessed PSN’s domain ( and the timestamp associated with them. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 $ perf stat capinfos bigdnssample.

Monitoring 200K DNS Queries per second using ClickHouse

Why Monitor DNS traffic As a member of a Security Incident Response Team, I’ve seen that the normal security practices like deploying firewalls, IDS sensors, NSM Toolkit and Netflow Monitoring. SIRT is increasingly looking to the network as a data source. For years infosec has been network-address-centric and the attackers have adapted. Today it is very common to see malware command and control (C&C) use domain generation algorithms (DGAs), Peer-to-Peer (P2P), or even fast-flux DNS to evade IP address-based detection and blocking.

Hide in Plain Sight: Protocol Multiplexers

Almost every Internet-connected device on the planet comes with a nice web interface to interact with. And some of them like routers and APs come with their own little firewall to prevent backdoors and whatnot. So what if one of these devices or even servers gets compromised? Where do you look at to find IoC (indication of compromise) in them? I don’t think I need to explain why IoT is a huge security challenge for every organization since everyone at least has a “smart” printer lying around somewhere.

Dissection of Winbox critical vulnerability

On April 23rd 2018, Mikrotik fixed a vulnerability “that allowed gaining access to an unsecured router”. myself and @yalpanian of @BASUCERT (part of IR CERT) reverse engineering lab tried to figure out what exactly got fixed, what was the problem in the first place and how severe was the impact of it. UPDATE: full PoC is now available on Github. UPDATE: CVE-2018-14847 has been assigned to this vulnerability and there should be a MetaSploit module related to this bug soon.

Getting started with Dynamic Binary Analysis

What, Why, and Where? What is it exactly? Dynamic Binary Analysis (DBA) is a technique to analyze the behavior of a binary by somehow running it and watch its behavior. Obviously it’s the opposite of Static Binary Analysis in which you disassemble a piece of code and draw the graph of the entire program to see what it does. Why not Static? well, it’s actually better if you have a small binary or a binary written in a friendly programming language.

What is port sharding in Linux and why should I care

It’s actually called SO_REUSEPORT Kernel 3.9 introduced a new cool feature in SOCKET interface called SO_REUSEPORT. So what is it? As the official documentation says, it allows multiple AF_INET or AF_INET6 sockets to be bound to an identical socket address. before binding a socket to an interface, each one should have this option enabled. This way, mutiple processes can listen on the same port at the same time! How Can This Possibly Be Secure?