In addition to detection, how about prevention? There is a an easy way to thwart the attack (most likely) for those DNS servers that are deployed on (or behind) either Linux or OpenBSD without patching the DNS server (which is preferrable of course, but not everyone can):
http://www.cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with-pf.html --Mike On Jul 17, 2008, Joel Esler wrote: > There are Shared Object rules available for the DNS Cache Poisoning attack > that are VRT certified available via subscription at www.snort.org. > > J > > On Jul 16, 2008, at 10:38 PM, Ravi Chunduru wrote: > >> Does anybody have snort or Intrupro-IPS signature(s) to detect DNS >> Cache Poisoning attack? >> Also, is there any PoC to simulate the attack and test the >> effectiveness of signature(s)? >> >> thanks >> Ravi >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to >> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw >> to learn more. >> ------------------------------------------------------------------------ >> > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing itwith real-world attacks from CORE > IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto > > learn more. > ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
