In addition to detection, how about prevention? There is a an easy way
to thwart the attack (most likely) for those DNS servers that are deployed
on (or behind) either Linux or OpenBSD without patching the DNS server
(which is preferrable of course, but not everyone can):
> There are Shared Object rules available for the DNS Cache Poisoning attack
> that are VRT certified available via subscription at www.snort.org.
>
> J
>
> On Jul 16, 2008, at 10:38 PM, Ravi Chunduru wrote:
>
>> Does anybody have snort or Intrupro-IPS signature(s) to detect DNS
>> Cache Poisoning attack?
>> Also, is there any PoC to simulate the attack and test the
>> effectiveness of signature(s)?
>>
>> thanks
>> Ravi
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to
>> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
>> to learn more.
>> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing itwith real-world attacks from CORE
> IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfwto
> learn more.
> ------------------------------------------------------------------------
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
to thwart the attack (most likely) for those DNS servers that are deployed
on (or behind) either Linux or OpenBSD without patching the DNS server
(which is preferrable of course, but not everyone can):
http://www.cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-at
tacks-with-iptables.html
http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with-pf.h
tml
--Mike
On Jul 17, 2008, Joel Esler wrote:
> There are Shared Object rules available for the DNS Cache Poisoning attack
> that are VRT certified available via subscription at www.snort.org.
>
> J
>
> On Jul 16, 2008, at 10:38 PM, Ravi Chunduru wrote:
>
>> Does anybody have snort or Intrupro-IPS signature(s) to detect DNS
>> Cache Poisoning attack?
>> Also, is there any PoC to simulate the attack and test the
>> effectiveness of signature(s)?
>>
>> thanks
>> Ravi
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to
>> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
>> to learn more.
>> ------------------------------------------------------------------------
>>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing itwith real-world attacks from CORE
> IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfwto
> learn more.
> ------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
[ reply ]