29 August, 2008

Snort DNS preprocessor

Scott Campbell of NERSC posted to the snort-devel mailing list today about his DNS preprocessor that is designed to detect DNS cache poisoning and DNS fast flux. His write-up on both features looks interesting and I hope to play with the preprocessor on my lab setup. Note that he recommends not running this in production because it is an early beta.

For full details check his write-up, but the following quotes explain that the preprocessor is checking three basic conditions for DNS cache poisoning:

  • Multiple responses to a query where the DNS server IP and query name match, but the transaction ID varies.
  • Multiple responses to a query where the DNS server IP, query name and transaction ID match.
  • Unexpected responses where there is no observed question.
The explanation of fast flux detection is a little more involved, and he also mentions that it will detect sites that are designed to behave in a similar way as fast flux, for example ntp.pool.org and chat.freenode.net.

If I get the chance to play with the preprocessor, I will definitely document my experience.

02 August, 2008

July Dailydave

The Dailydave mailing list was full of interesting and fun posts during the month of July. The "Immunity Certified Network Offense Professional" thread and all the threads about Dan Kaminsky's DNS cache poisoning were interesting. That said, the cache poisoning has certainly not been under-analyzed and I'm happy to read about other topics at this point.