Analyzing DNS and ICMP Traffic

Analyzing DNS (Domain Name System) and ICMP (Internet Control Message Protocol) traffic plays a crucial role in understanding and diagnosing network behavior and security threats. DNS serves as the backbone of the internet, translating human-readable domain names into IP addresses, while ICMP facilitates communication between network devices by transmitting control messages. By closely examining DNS and ICMP traffic patterns, network administrators and security analysts can gain valuable insights into network performance, identify potential issues, detect malicious activities, and take appropriate measures to ensure optimal network operation and safeguard against cyber threats. By delving into the intricacies of DNS and ICMP traffic, organizations can enhance their network infrastructure, optimize performance, and fortify their cybersecurity posture.


Scenario

You are a cybersecurity analyst working at a company that specializes in providing IT consultant services. Several customers contacted your company to report that they were not able to access the company website www.yummyrecipesforme.com and saw the error “destination port unreachable” after waiting for the page to load. 

You are tasked with analyzing the situation and determining which network protocol was affected during this incident. To start, you visit the website, and you also receive the error “destination port unreachable.” Next, you load your network analyzer tool, tcpdump, and load the webpage again. This time, you receive a lot of packets in your network analyzer. The analyzer shows that when you send UDP packets and receive an ICMP response returned to your host, the results contain an error message: “udp port 53 unreachable.” 


DNS & ICMP Traffic Log

13:24:32.192571 IP 192.51.100.15.52444 > 203.0.113.2.domain: 35084+ A? yummyrecipesforme.com. (24)

13:24:36.098564 IP 203.0.113.2 > 192.51.100.15: ICMP 203.0.113.2

udp port 53 unreachable length 254

13:26:32.192571 IP 192.51.100.15.52444 > 203.0.113.2.domain: 35084+ A? yummyrecipesforme.com. (24)

13:27:15.934126 IP 203.0.113.2 > 192.51.100.15: ICMP 203.0.113.2

udp port 53 unreachable length 320

13:28:32.192571 IP 192.51.100.15.52444 > 203.0.113.2.domain: 35084+ A? yummyrecipesforme.com. (24)

13:28:50.022967 IP 203.0.113.2 > 192.51.100.15: ICMP 203.0.113.2

udp port 53 unreachable length 150


Now that I have captured data packets using a network analyzer tool, it is my job to identify which network protocol and service were impacted by this incident. Then, I will need to write a follow-up report.


Step 1: Provide a summary of the problem. Make sure it explains your findings in common language so that anyone can understand the idea behind what the problem is.

DNS server is down/unreachable. As evident by the results of the network analysis, the ICMP echo reply returned the error message “udp port 53 unreachable,”  Port 53 is commonly used for DNS protocol traffic. Most likely that the DNS server is not responding.

  • We can see that the DNS is down or unreachable here in the log (192.51.100.15.52444 > 203.0.113.2.domain: 35084+ A? yummyrecipesforme.com)
  • In the log we can see where the IMCP echo returned with an error message (ICMP 203.0.113.2 udp port 53 unreachable length 150)
  • In the scenario we are told that Port 53 is used for the DNS protocol (Port 53, which aligns to the .domain extension in 203.0.113.2.domain, is a well-known port for DNS service)

Step 2: Explain your analysis of the data and provide a solution to implement. (Provide as much information as possible)

Today, July 13, 2023, at approximately 1:25 p.m. Customers called the organization to notify the IT team that they received the message “destination port unreachable” when they attempted to visit yummyrecipesforme.com. The network security professionals within the organization are currently investigating the issue so customers can access the website again. In our investigation into the issue, we conducted packet sniffing tests using tcpdump. In the resulting log file, we found that DNS port 53 was unreachable. The next step is to identify whether the DNS server is down or traffic to port 53 is blocked by the firewall. The DNS server might be down due to a successful Denial of Service attack or a misconfiguration.

  • I used the date reported, in this case, it’s the day I worked on this scenario.
  • In the log (13:24:32.192571) is presented at the very beginning of the line. I used approximately to give a general time frame due to rounding up the time frame for the report. This is the time correlated with the incident displayed as a 24-hour clock. Hr:min:sec:millisec
  • After the established date and time, I present an overview of what occurred (the IT team that they received the message “destination port unreachable” when they attempted to visit yummyrecipesforme.com.)
  • Then move into what is currently being done to correct the issue. This lets the reader know what is being addressed. (The network security professionals within the organization are currently investigating the issue so customers can access the website again.)
  • Follow what is currently being done with what has been done up to this point (In our investigation into the issue, we conducted packet sniffing tests using tcpdump.)
  • What ever information was found during the previous test should follow up each test that was conducted (we found that DNS port 53 was unreachable)
  • Provide the reader what your next anticipated step/solution is going to be (The next step is to identify whether the DNS server is down or traffic to port 53 is blocked by the firewall)
  • Finally, we want to present what may have caused this situation in the log (The DNS server might be down due to a successful Denial of Service attack or a misconfiguration.)

*scenario presented by Coursera’s Google Cybersecurity certification course