Hosting Provided By

Re: [Snort-sigs] DNS poisoning

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Tue May 27 2003 - 14:40:44 EDT

Given the nature of how a DNS poisoning attack works, it would be impossible for a simple rule to detect it. All of the packets used in a DNS poisoning attack are completely legitimate in format, so there's nothing "different" about them that a rule can detect.

What distinguishes poisoning from normal traffic is large numbers of the same reply with different IDs in them, most of which do not match the ID of the query.

Since to be successful at DNS poisoning involves generating a "flood" of DNS responses directed at the querying DNS server, you can detect it using something like portscan1. Just look very large numbers of packets within 1 second.. 100 might make a good threshold.

The only drawback is if your resolving DNS server is very busy you might get some false alarms, but it is unlikely.

At 11:00 AM 5/27/2003 -0500, Vincent Vono wrote:
>Anyone have a rule (or does one exist) to detect DNS poisoning attempts?
>I've checked the default DNS rules of snort, but do not see one.

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 27 15:47:32 2003

This message: [ Message body ]
Next message: Matt Kettler: "Re: [Snort-sigs] SMTP rcpt to sed command attempt"
Previous message: Lorraine Cannavale: "[Snort-sigs] ELKERN Signature?"
In reply to Vincent Vono: "[Snort-sigs] DNS poisoning"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT