[Emerging-Sigs] DNS single dot ddos amplifier

Matt Jonkman jonkman at jonkmans.com
Tue Jan 20 01:09:45 EST 2009


Looks very interesting RPG. Thanks for the effort. Posting it now.

Matt

RPG wrote:
> I've modified it a bit based on few stray FP's , this works if you have 
> a public facing DNS server.
> 
> alert udp any any -> $HOME_NET 53 (
> msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos";
> content:"|01 00 00 01 00 00 00 00 00 00 00 00 02 00 01|";
> threshold:type limit, track by_src, count 1, seconds 120;
> classtype:attempted-dos;
> reference:url,isc.sans.org/diary.html?storyid=5713;
> sid:XXXXXXXXXXXXXXX;
> rev:2;
> )
> 
> 
> RPG wrote:
>> My proposed rule for this little nasty (see reference)
>>
>> alert udp any any -> any 53 (
>> msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos amplifier";
>> content:"|00 00 02 00 01|";
>> threshold:type limit, track by_src, count 1, seconds 120;
>> classtype:attempted-dos;
>> reference:url,isc.sans.org/diary.html?storyid=5713;
>> sid:XXXXXXXXXXXXX;
>> rev:1;
>> )
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>   
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list