[Snort-sigs] DNS poisoning

Matt Kettler mkettler at ...189...
Tue May 27 11:41:11 EDT 2003

Given the nature of how a DNS poisoning attack works, it would be 
impossible for a simple rule to detect it. All of the packets used in a DNS 
poisoning attack are completely legitimate in format, so there's nothing 
"different" about them that a rule can detect.

What distinguishes poisoning from normal traffic is large numbers of the 
same reply with different IDs in them, most of which do not match the ID of 
the query.

Since to be successful at DNS poisoning involves generating a "flood" of 
DNS responses directed at the querying DNS server, you can detect it using 
something like portscan1. Just look very large numbers of packets within 1 
second.. 100 might make a good threshold.

The only drawback is if your resolving DNS server is very busy you might 
get some false alarms, but it is unlikely.

At 11:00 AM 5/27/2003 -0500, Vincent Vono wrote:
>Anyone have a rule (or does one exist) to detect DNS poisoning attempts?
>I've checked the default DNS rules of snort, but do not see one.

More information about the Snort-sigs mailing list