Date: Mon, 4 Aug 2008 18:22:46 -0400 From: Robert Edmonds To: dns-operations Subject: [dns-operations] release of ISC SIE cache poisoning attempt detection tool hi, ISC SIE has developed a tool for detecting cache poisoning attempts. it consists of two parts: ncaptool, the part which performs packet gathering, reassembly, and dns filtering; and mod_urstate, a message processing module which attempts to statefully detect unsolicited responses that may be indicative of cache poisoning attempts. specifically, the tool is designed to listen at the network layer of a recursive dns server, auditing the query-response stream between recursive and authoritative dns servers. when a potential cache poisoning attempt is detected, both the offending and original dns responses will be emitted into the output stream. ncaptool and mod_urstate may be obtained via ftp:
- a fifo cache of the query / response payloads generated by dns transactions. a hard limit on the number of entries in this cache will be enforced to bound memory consumption. the default limit of 1048576 entries tends to consume around 700 MB of memory. the larger this cache is, the more accurate the output will be. as a rule of thumb, the cache should be large enough to hold at least 5 to 30 seconds or so of the most recent dns transactions.
- an associative array for locating entries in the cache based on a tuple of fields from the packet headers and payload.
- the malicious response payload differs in some way from legitimate response payloads.
- the malicious response matches the tuple for an outstanding query.
- the malicious response arrives at approximately the same time as a legitimate response.
- was an attempt made to introduce malicious data into my cache?
- did the attempt succeed? i.e., did the malicious response arrive prior to the legitimate response?
- what are the contents of the malicious dns response? e.g., in the most common scenario, where is the attacker's doppelgaenger located?