[Snort-sigs] DNS poisoning
mkettler at ...189...
Tue May 27 11:41:11 EDT 2003
Given the nature of how a DNS poisoning attack works, it would be
impossible for a simple rule to detect it. All of the packets used in a DNS
poisoning attack are completely legitimate in format, so there's nothing
"different" about them that a rule can detect.
What distinguishes poisoning from normal traffic is large numbers of the
same reply with different IDs in them, most of which do not match the ID of
Since to be successful at DNS poisoning involves generating a "flood" of
DNS responses directed at the querying DNS server, you can detect it using
something like portscan1. Just look very large numbers of packets within 1
second.. 100 might make a good threshold.
The only drawback is if your resolving DNS server is very busy you might
get some false alarms, but it is unlikely.
At 11:00 AM 5/27/2003 -0500, Vincent Vono wrote:
>Anyone have a rule (or does one exist) to detect DNS poisoning attempts?
>I've checked the default DNS rules of snort, but do not see one.
More information about the Snort-sigs