Signatures to detect SAD DNS

Last week DNS Cache poisoning has been revived by some researchers. The findings have been shown at the ACM CCS 2020 ( and at

In the FAQ for this attack the following is mentioned about IDS detection:

  • Detect the timing pattern of the traffic: the attack sends a burst of packets every 50ms.
  • Detect UDP port scanning.
  • Detect wrong TxIDs for incoming DNS responses: the attack needs to brute force TxID but normal DNS responses are unlikely to present the wrong TxID value.

Besides that, one of the mitigations is to disable outgoing ICMP port unreachable.

Has anyone created signatures to detect:

  • Outgoing ICMP port unreachable messages?
  • Any of the 3 detections mentioned above?

Jan Hugo Prins