[Snort-users] Identifying dnsspoof

Johan.Augustsson Johan.Augustsson at ...796...
Thu Jan 4 10:50:12 EST 2001

Dug Song has relesed a new version of dsniff 
(http://www.monkey.org/~dugsong/dsniff/) which now contains a tool for 
spoofing a standard query response from a DNS. If a hacker has the 
possibility to access a computer where he can run the program, he can send 
a standard query response saying that www.your-bank.com has the ip-address 
of www.evil-bank.com (which is the hackers copy of the www.your-bank.com 
website) to all clients that sends a standard query for www.bank.com. The 
tricky part is to answer the client before the real DNS does.

I've been waiting for this tool to show up and started to analyse the query 
responses from dnsspoof.
There are at least two things that are a bit odd.

1. It sends at least two identical responses at a rapid pace.
2. The answers "Time to live" (not the IP - TTL) is set to 1 minute - very 
short time.

I've never seen a legitimate standard query response with such a short Time 
to live value.

The following rule will help Snort to detect if there is any dnspoof going on.

alert udp any 53 -> any any (msg:"Standard query response with very short 
Time to live - DNSSPOOF"; content:"|000100010000003c0004|";)

The string that this rule is searching for:

0001 - Type: Host address
0001 - Class: inet
0000003c - Time to live: 1 minute
0004 - Data length

/Johan Augustsson

More information about the Snort-users mailing list