NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2008-q3

[Dailydave] Detecting DNS Events

From: Jose Avila (joseonzra.com)
Date: Mon Jul 14 2008 - 12:56:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cache Poisoning has been around for many years... As Halvar has stated
in his blog we have survived much worse, and I believe we will survive
this current issue. One thing that has amused me is how well
orchestrated this entire event has been; and as such, I commend
everyone that has been involved in the process from start to finish.

With these releases we have one more Cache Poisoning attack prevented;
however, we still don’t really have a method for confirming and
verifying that a recursive server has been poisoned. The recursive
provider finds out when services start failing, customers start
calling in, etc.

With help from Dan, and a few others, I started work on a small open
source application to monitor and verify the cache of a recursive
server. The overall concept was to take periodic dumps of the in-
memory cache from the recursive server, validate these dumps against
the authoritative name servers, and peer recursive name servers,
alerting when something could not be validated. Once we were able to
narrow down the false positives from the Content Delivery Networks,
there started to be a bit more hope.

The tool is currently released under the BSD License and is free for
anyone to use, and contribute to. Its currently an early release but,
its my hopes that as time progresses, we’ll have a scaleable, stable
tool that that recursive providers can use to detect and respond
quicker to cache poisoning events.

Currently there is not a lot of documentation, but I’m hoping to have
something more detailed written up soon. Feel free to contact me with
any questions or comments.

Tool download: http://www.onzra.com/CacheAudit-Latest.tgz

Thanks,

Jose

--
Jose Avila III
www.onzra.com
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]