[Snort-users] Identifying dnsspoof
Johan.Augustsson at ...796...
Thu Jan 4 10:50:12 EST 2001
Dug Song has relesed a new version of dsniff
(http://www.monkey.org/~dugsong/dsniff/) which now contains a tool for
spoofing a standard query response from a DNS. If a hacker has the
possibility to access a computer where he can run the program, he can send
a standard query response saying that www.your-bank.com has the ip-address
of www.evil-bank.com (which is the hackers copy of the www.your-bank.com
website) to all clients that sends a standard query for www.bank.com. The
tricky part is to answer the client before the real DNS does.
I've been waiting for this tool to show up and started to analyse the query
responses from dnsspoof.
There are at least two things that are a bit odd.
1. It sends at least two identical responses at a rapid pace.
2. The answers "Time to live" (not the IP - TTL) is set to 1 minute - very
I've never seen a legitimate standard query response with such a short Time
to live value.
The following rule will help Snort to detect if there is any dnspoof going on.
alert udp any 53 -> any any (msg:"Standard query response with very short
Time to live - DNSSPOOF"; content:"|000100010000003c0004|";)
The string that this rule is searching for:
0001 - Type: Host address
0001 - Class: inet
0000003c - Time to live: 1 minute
0004 - Data length
More information about the Snort-users