[nsp-sec] DNS poisoning activity in the wild
Ross, Jason
Jason.Ross at GlobalCrossing.com
Wed Jul 30 11:06:54 EDT 2008
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Jose Nazario
> Sent: Wednesday, July 30, 2008 10:37 AM
> To: nsp-security NSP
> Subject: [nsp-sec] DNS poisoning activity in the wild
>
> ----------- nsp-security Confidential --------
>
<snip>
> at arbor we've seen a spike in version.bind. queries but our sensors
> haven't been tuned to look for the poison attacks, so we don't know how
> much of that is afoot.
Has a decent fingerprint for the attack been developed that NSP's could
look for? I've seen some talk about maybe using the MSF 'check' packets
which do queries for "spoofable*red.metasploit.com", but that only
catches the MSF version, and it supposes that the attacker runs the check.
You could potentially also check for TTL of 31337, but this is settable
within the framework, and again only catches traffic from that, and further
presumes that it doesn't get changed.
I'd also like to know if there's an effective way to check a given NS to
determine if it had been poisoned? I can think of a couple of brain-dead
ways (eg. query for popular sites comparing results to a trusted RR, or
maybe even checking the returned RR against the AS it's at, etc.) but I'm
not sure they're very effective, and they almost certainly don't scale.
There's some discussion of the above questions going on in various sec
mailing lists but I haven't seen a decent answer yet; though I'm not
sub'd to dns-ops or similar, where such a thread may have been
sufficiently resolved. (I keep meaning to "get around to it"...)
Disclaimer: I'm not a DNS guru, so if the above has my n00b showing,
feel free to smack with a cluebat =)
--
Jason Ross
Global Crossing
Information Security
GPG Key: 0xEC11B25A
More information about the nsp-security
mailing list