SECURING A DNS SERVER WITH SNORT IDS : Severen-Telecom case
Drozdova, Anna (2015)
Mikkelin ammattikorkeakoulu
2015
All rights reserved
Julkaisun pysyvä osoite on
http://urn.fi/URN:NBN:fi:amk-2015101415424
http://urn.fi/URN:NBN:fi:amk-2015101415424
Tiivistelmä
Today Severen-Telecom is one of the largest Internet providers for corporate clients in the Saint-Petersburg region. When analysing log files of IDS, it was noticed that the company’s DNS server from time to time received queries to resolve non-existent domain names of Chinese web-stores. These requests come from the client hosts.
The purpose of this study was to investigate the architectures of Intrusion Detection System and Domain Name System. Another aim was to find out the way to protect the DNS server. In order to reach the goal of the study the IDS architecture was studied and Snort IDS was chosen. The Snort system is one of the most powerful IDSs today. The possibility to work in the inline mode allows not only detecting suspicious activity, but also blocking it. Manually written Snort rules are a helpful addition.
All examinations were performed in a virtual laboratory environment and were not tested in real conditions. And as a result it was discovered that Snort IDS was not able to block all fake DNS queries alone, only partial filtering. This study is not finished at this point; complete blocking of packets generated by the bot may be performed with different Snort plug-ins of additional software.
The purpose of this study was to investigate the architectures of Intrusion Detection System and Domain Name System. Another aim was to find out the way to protect the DNS server. In order to reach the goal of the study the IDS architecture was studied and Snort IDS was chosen. The Snort system is one of the most powerful IDSs today. The possibility to work in the inline mode allows not only detecting suspicious activity, but also blocking it. Manually written Snort rules are a helpful addition.
All examinations were performed in a virtual laboratory environment and were not tested in real conditions. And as a result it was discovered that Snort IDS was not able to block all fake DNS queries alone, only partial filtering. This study is not finished at this point; complete blocking of packets generated by the bot may be performed with different Snort plug-ins of additional software.