TippingPoint DNS Version Request increase

Published: 2012-07-21
Last Updated: 2012-07-21 04:17:56 UTC
by Rick Wanner (Version: 1)
3 comment(s)
We have received a number of reports from TippingPoint customers that the normally quiet filter #560: DNS version request has been triggering in larger than normal numbers.  The indications are that a large number of source IPs are involved, but the volume is not high enough to be of a concern for potential DOS.  We have not yet been able to view any packets from this traffic.
 
If anybody has any more information, or packets we can review, we would love to hear from you.
 
The summary of filter #560 is:
"This filter detects a request to obtain the version number of the DNS Bind Server. The attacker uses the version information to determine whether the DNS Server is vulnerable to certain buffer overflow or Denial of Service attacks."

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: DNS IDS TippingPoint
3 comment(s)

Comments

Yeah, seeing this triggering snort alerts:

Signature Total Events IP Srcs IP Dsts Sensor Latest Timestamp
GPL DNS named version attempt 76629 11383 55608 1 2012-07-22 07:43:06

from a quick look all packets appear identical.
Ya, saw a distinct increase in this traffic on the 20th mostly from China... back to "normal" now.
We are seeing this again. Did anyone determine the source or find a need/method to resolve? Ours also logged many hits for a relatively short period and then stopped.

Diary Archives