DNS suxx0rz (was: Re: [Snort-users] Signature for this?)

Dragos Ruiu dr at ...381...
Sun Sep 8 12:04:17 EDT 2002


On September 8, 2002 04:32 pm, Frank Knobbe wrote:
> On Sat, 2002-09-07 at 23:37, Michael Scheidell wrote:
> > > is anyone aware of a snort sig for this one?
> > > http://www.theregister.co.uk/content/55/26967.html
> >
> > sounds more complicated than a snort sig.
>
> Yeah, I was afraid you guys would say that...
>
> Wasn't there someone working on a DNS pre-processor? Maybe that would
> catch it (overly long DNS responses, etc.)

Well you might think that snort may not help.... but it could.

It should be considered a GOOD THING(tm) to flag large
DNS packets, port 53 {tcp, udp} as suspicious. Rules for
this might be nice thing to add to your standard rule-sets
(whadyathink cazz?).

Certainly any DNS packet that has a size of bigger than 1K
should be considered extremely suspect. This kind of a rule 
_will_ catch some DNS overflow attacks. If you have a higher
tolerance for weeding out falses you may want to lower
this limit to the 400-600 byte range as those kinds of monster-
grams should be rare. (Old DNS resolver codes peg MAXPACKET
at 1K and there are a whole bunch of 512byte limits in some
codes.)  Below this range you are into the territory of garden
variety DNS queries and the length checking won't do much 
good, and if there is a way of  of exploiting our infinitely 
crappy resolver codes (and they _all_ suck, and I _have_ 
been looking at them), with smaller ordinary packets like 
say a (hypothetical :-) byte alignment problem in the expanded
form of the hostname, then this kind of length checking 
might not do much.  But odds are high (:-P) that even this kind
of a hypothetical exploit might need to send some big packets
to exploit the flaw so adding this kind of rule sure seems
like a good idea.

cheers,
--dr

P.S. Did I ever say how much DNS sucks?
   Libc resolver is ugly, and bind sucks even more.

P.P.S. I have been working on porting Cerebus 1.3 to
 more architectures, and some new ones are up at
 http://dragos.com/cerebus ... Solaris-Sparc64 and
 Linux-IA64 were recently added. Fortunately the
 64bit arches added only a couple of ifdefs. But
 why does Solaris have to use uint32_t instead of 
 u_int32_t? Sigh....

-- 
dr at ...381...   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002





More information about the Snort-users mailing list