[Snort-users] Secure - NSLOOKUP
gbinder at ...462...
Mon Jan 8 14:27:54 EST 2001
Joseph Hager on Mon, Jan 08, 2001 at 12:57:07PM -0500:
> If a person has that much access to your box.. the script that I'm
> requesting is hardly going to be an issue.. don't you think? And my
> thoughts on creating a ip.cache type file.. would help prevent the DoS
> attack by only requesting a lookup once per "X" amount of time. I don't see
> it being any more of an issue then if a person was simply portscanning a
> network and forcing snort to log that information to syslog.
If everything people are doing were simple portscans, I would not run
snort at all. I am assuming a clever attacker who knows that this
functionality exists in snort. He will most likely not fire up nessus
and throw 500 or more signatures at you, nor will he run a portscan
that will be easy to detect. If I knew you run such a system, and I
wanted to be clever, I'd try a few exploits against you from different
hosts under my control, and see which ones result in a reverse lookup
on that IP from your system. Not only will this maybe give me the IP
of your sensor, it will also show me what you know about and what not
(in terms of signatures).
As far as the fork-DoS goes, have somebody running a distributed DoS
against you, or send you a few hundred spoofed packets with different
source addresses and something that will cause an alert, and your box
will happily spawn as many nslookups that will certainly take longer
to complete than it takes to send the packets. -> DoS :)
I would have a tendency to post-process your logs (every night from cron
or something) or use a frontend that can do DNS lookups when you want
them. Stealthy and safe ;)
Gregor Binder <gregor.binder at ...462...> http://sysfive.com/~gbinder/
sysfive.com GmbH UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
More information about the Snort-users