-- JohnMcCash - 10 Jan 2008 I have a question for the BleedingThreats? audience at large. I was just reading up a bit on Fast Flux DNS configurations, which are being used to enhance the robustness of decentralized networked control and update capabilities for botnets. One suggested countermeasure that I read of was to disallow inbound DNS responses that include NS records with low TTLs. This seems reasonable to me, and I assume that it's a capability that can be implemented in most or all DNS servers, but I was looking for a simple way to detect it using my firewalls or IDS and IPS resources, and I've been unable to find any pregenerated signatures for this anywhere.

I'm not a snort guru, but shouldn't it be a relatively simple matter to create a snort signature that would fire when it detected a DNS response including an NS record with a TTL of, say, 5 minutes or less?

I'm also sort of surprised that I was unable to find any reference to a similar pregenerated rule in my ISS sensors.

Am I totally off-base here? Is there some relatively common legitimate usage of low-TTL NS records of which I'm unaware? Does snort support parsing the DNS protocol, or would such a signature have to be built using exact bitstring matching at specified packet offsets? I did a quick search through the public ruleset, and the only similar rules that I found there are written using these sorts of matches.

Please enlighten me. Thanks very much in advance John McCash?

You may want to look at the DNS related signatures that come with snort that trigger on a low TTL value as a foundation for a custom rule.