[Emerging-Sigs] DNS single dot ddos amplifier

RPG inittab at jtan.com
Mon Jan 19 11:38:34 EST 2009


My proposed rule for this little nasty (see reference)

alert udp any any -> any 53 (
msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos amplifier";
content:"|00 00 02 00 01|";
threshold:type limit, track by_src, count 1, seconds 120;
classtype:attempted-dos;
reference:url,isc.sans.org/diary.html?storyid=5713;
sid:XXXXXXXXXXXXX;
rev:1;
)


More information about the Emerging-sigs mailing list