[Snort-users] snort dns spoof alerts

chatiman chatiman at ...953...
Wed Nov 10 21:39:09 EST 2004


Hello,

I noticed some DNS SPOOF attacks in my logs.

The source ip is set to one of the dns server of
my provider.

According to snort.org, there's no false positive
known to this rule.

So I tried to find out which request was spoofed
from the tcpdump logs:
- I extracted dns requests created the same day of the
attack.

What I found is a dozen of lines like:
<time> IP <isp-dns> > <myip>:60412:  2236 1/0/0 A <myip> (48)

This seems to be a dangerous kind of attacks to me (eg spoof
ip of ecommerce site, mail servers ...)

Can I do something to protect against that ?
Do I need to report it to my isp ?


Thanks






More information about the Snort-users mailing list