Signatures to detect SAD DNS

Jan_Hugo_Prins · November 18, 2020, 11:10am

Last week DNS Cache poisoning has been revived by some researchers. The findings have been shown at the ACM CCS 2020 (https://www.sigsac.org/ccs/CCS2020/index.html) and at https://www.cs.ucr.edu/~zhiyunq/SADDNS.html.

In the FAQ for this attack the following is mentioned about IDS detection:

Detect the timing pattern of the traffic: the attack sends a burst of packets every 50ms.
Detect UDP port scanning.
Detect wrong TxIDs for incoming DNS responses: the attack needs to brute force TxID but normal DNS responses are unlikely to present the wrong TxID value.

Besides that, one of the mitigations is to disable outgoing ICMP port unreachable.

Has anyone created signatures to detect:

Jan Hugo Prins

Topic		Replies	Views
SIGRed (CVE-2020-1350) Rule Rules	4	1460	July 17, 2020
Rule for Low rate UDP flooding Help	2	1629	November 12, 2020
Track number of accessed hosts outbound Rules	1	356	June 4, 2022
Rules for DNS Kaminsky Rules	5	863	April 21, 2022
Follow-up Q's for Gaming Servers (UDP Floods / Game Signatures) Help	9	792	November 20, 2022