|
By now everyone's heard about the dns issues Dan Kaminsky discovered and have been deduced/leaked. (http://www.doxpara.com/ and others) Several people have asked privately if we've got signatures coming for the issue.
Unfortunately, as I understand the issues there's not much we can do with snort. We'd need to track qid's between packets in different streams, which is something snort can't do. And if it could it's be MASSIVE load no matter how it were implemented.
What I've done personally is setup blocking sigs something like:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"JONKMAN Excessive DNS Traffic"; threshold: type both, track by_src, count 30, seconds 30;
sid:xxx; rev:1;)
This catches the IPs that are already hitting me pushing www.microsoft.com to try to poison. My dns are all patched already, but I prefer to block idiots. And my dns are only serving domains, not acting as primary resolvers for anyone, so 30 requests in 30 seconds is way out of line.
Problem with this sig is you have to decide what an acceptable threshold is for you. But if you shouldn't have inbound dns requests at all a firewall rule would be most appropriate.
So, just my thoughts here. If anyone has an idea as to a better more universal Snort sig, please let us know. In the meantime, I'd recommend something like the above just to catch someone essentially brute forcing your dns cache.
Matt
|
