As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity. Props to alexkirk from the #snort channel for hooking us up!
Implement at your own risk! Simply cut and paste as it looks pretty nasty below:
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”DNS large number of NXDOMAIN replies - possible DNS cache poisoning”; byte_test:1,&,3,3; classtype:misc-attack; reference:cve,2008-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-020.mspx; reference:cve,2008-1447;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-037.mspx; threshold: type threshold, track by_src, count 1000, seconds 30;)
Today we introduce a new portion of the show: SecuraBytes. SecuraBytes are unannounced episodes, they could be last minute interviews or just more beer induced security speak. So, without further ado, here is the first SecuraByte from the SecuraBit Podcast.
Wesley McGrew of McGrew Security, Martin McKeay of the Network Security Blog / Podcast, and some guy named Joel joined Rob Fuller and Anthony Gartner last night to discuss the DNS vulnerability leakage that happened about quitting time yesterday (7/21). We discuss the leak, how the vulnerability works, mitigating, and the potential it has on mass scales. Every one of the gentlemen that joined us, and we here at SecuraBit urge you to patch as soon as possible. If you need further information, please check the following links:
We’ll be recording Episode 6 tomorrow night at 7:30PM EST (July 9th). Also, we’ll be streaming live once again via hak5radio. Join us on IRC at irc.freenode.net #securabit for chat and details on the stream URL.
There are T-Shirts and Stickers on the way. We’ll be selling them on the site here so keep watch for the next couple weeks before DEFCON so you can get yours before you go up there!
