[Emerging-Sigs] DNS single dot ddos amplifier

RPG inittab at jtan.com
Sun Jan 25 19:10:54 EST 2009


Yes, this activity is absolutely still going on.

This sig will not hit on packets originating in the HOME_NET.  BTW, the
sig should probably be changed as follows: "alert udp $EXTERNAL_NET any
-> $HOME_NET 53", we've seen a few false positives with the current sig.

A sig to pick up on outbound spoofed packets might look something like
this: alert udp !$HOME_NET any -> !$DNS_SERVERS 53  ......  (sensor
placement is important here.)    You might get some FP's with this but
if you truly have a malicious systems in your midst you will probably be
bombarded with alerts.

Of course, your best defense is to restrict outbound DNS to only
approved DNS servers.  Your firewall logs would then tell the story.


bob harley wrote:
> Would that signature hit on packets originating in the $HOME_NET with
> the spoofed source IPs? Anyone know if this activity is still going on?
> 
> - Harley
> 
> On Tue, Jan 20, 2009 at 1:09 AM, Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
> 
>     Looks very interesting RPG. Thanks for the effort. Posting it now.
> 
>     Matt
> 
>     RPG wrote:
>     > I've modified it a bit based on few stray FP's , this works if you
>     have
>     > a public facing DNS server.
>     >
>     > alert udp any any -> $HOME_NET 53 (
>     > msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos";
>     > content:"|01 00 00 01 00 00 00 00 00 00 00 00 02 00 01|";
>     > threshold:type limit, track by_src, count 1, seconds 120;
>     > classtype:attempted-dos;
>     > reference:url,isc.sans.org/diary.html?storyid=5713
>     <http://isc.sans.org/diary.html?storyid=5713>;
>     > sid:XXXXXXXXXXXXXXX;
>     > rev:2;
>     > )
>     >
>     >
>     > RPG wrote:
>     >> My proposed rule for this little nasty (see reference)
>     >>
>     >> alert udp any any -> any 53 (
>     >> msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos
>     amplifier";
>     >> content:"|00 00 02 00 01|";
>     >> threshold:type limit, track by_src, count 1, seconds 120;
>     >> classtype:attempted-dos;
>     >> reference:url,isc.sans.org/diary.html?storyid=5713
>     <http://isc.sans.org/diary.html?storyid=5713>;
>     >> sid:XXXXXXXXXXXXX;
>     >> rev:1;
>     >> )
>     >> _______________________________________________
>     >> Emerging-sigs mailing list
>     >> Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >>
>     >
>     > _______________________________________________
>     > Emerging-sigs mailing list
>     > Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     --------------------------------------------
> 
>     PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> 


More information about the Emerging-sigs mailing list