https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051267#M79307 <P>Can we get some details on what this signatures is looking at? Does it do anything more intelligent than look at query throughput? I'm thinking something more along the lines of these Snort rules:</P><P></P><P>#by many very smart people</P><P># This may be a high load sig. Take time and seriously consider </P><P># that your dns_servers var is set as narrowly as possible</P><P>alert udp any 53 -&gt; $DNS_SERVERS any (msg:"ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,&gt;,0,6; byte_test:2,&gt;,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008446; rev:8;)</P><P></P><P>#this will catch large numbers of nxdomain replies, a sign that someone may be trying to poison you</P><P>alert udp any 53 -&gt; $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter"; byte_test:1,&amp;,128,2; byte_test:1,&amp;,3,1,relative; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008470; rev:1;)</P><P></P> Sun, 10 Mar 2019 11:13:07 GMT mhellman 2019-03-10T11:13:07Z https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051267#M79307 <P>Can we get some details on what this signatures is looking at? Does it do anything more intelligent than look at query throughput? I'm thinking something more along the lines of these Snort rules:</P><P></P><P>#by many very smart people</P><P># This may be a high load sig. Take time and seriously consider </P><P># that your dns_servers var is set as narrowly as possible</P><P>alert udp any 53 -&gt; $DNS_SERVERS any (msg:"ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,&gt;,0,6; byte_test:2,&gt;,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008446; rev:8;)</P><P></P><P>#this will catch large numbers of nxdomain replies, a sign that someone may be trying to poison you</P><P>alert udp any 53 -&gt; $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter"; byte_test:1,&amp;,128,2; byte_test:1,&amp;,3,1,relative; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008470; rev:1;)</P><P></P> Sun, 10 Mar 2019 11:13:07 GMT https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051267#M79307 mhellman 2019-03-10T11:13:07Z https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051268#M79308 <HTML><HEAD></HEAD><BODY><P>4004 just looks for a flood basically. In s347, we're making that pps rate visible. That number is currently set at 500.</P><P></P><P>I will say that dns responses with more than 1 RR are completely normal and happen all the time. I was watching some of my own dns traffic and I was getting responses with multipl RRs from things like Yahoo, Google CNN... completely normal and legitimate, nothing odd about it.</P><P></P><P>Does honing in on that make a sig any more specific - not really - its still a flood. Its the rate thats the kicker and what works for small shops, doesn't work for large shops - so you do have to have some handle of what you "normally" see. I'm not saying that looking for more might not be something that's useful, but it'll largely depend on what you normally see.</P><P></P><P>The traffic itself is legitimate, albeit crammed with bogus data.</P></BODY></HTML> Fri, 25 Jul 2008 20:51:16 GMT https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051268#M79308 wsulym 2008-07-25T20:51:16Z https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051269#M79309 <HTML><HEAD></HEAD><BODY><P>Thanks for the response.</P><P></P><P>None of the sigs are perfect, but it seems to me that the RR flood would likely be a better indicator of this than a query flood.</P></BODY></HTML> Mon, 28 Jul 2008 11:55:37 GMT https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051269#M79309 mhellman 2008-07-28T11:55:37Z https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051270#M79310 <HTML><HEAD></HEAD><BODY><P>At many of our busier/larger customers, this signature was a bit noisy (enough that we had to turn it off). The snort rules seem a bit smarter about detecting an attack than simply triggering on a rate.</P></BODY></HTML> Mon, 28 Jul 2008 15:29:24 GMT https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051270#M79310 attmidsteam 2008-07-28T15:29:24Z https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051271#M79311 <HTML><HEAD></HEAD><BODY><P>same here.</P></BODY></HTML> Mon, 28 Jul 2008 16:04:52 GMT https://community.cisco.com/t5/network-security/dns-cache-poisoning-4004/m-p/1051271#M79311 mhellman 2008-07-28T16:04:52Z