[Emerging-Sigs] Rule 2016016

Jørgen Bøhnsdalen jurg at jurg.no
Thu Dec 20 07:21:32 HAST 2012

The attack works by sending a small query from a spoofed source IP, which (optimally) results in the server sending a huge response back. See this link:


What we've seen though is a bunch of requests to non-dns servers, possibly in an attempt to locate DNS-servers that allow recursive lookup.

- Jørgen

On 12/20/2012 06:19 PM, waldo kitty wrote:
> On 12/20/2012 10:55, Nathan wrote:
>> Hash: SHA1
>> On 12/20/2012 08:54 AM, Lay, James wrote:
>>> So far this is a pretty chatty rule.  FYI :D
>> It's legit, I had the same thing with 'isc.org' with them asking ANY? isc.org.
>> up and down my CIDR /19.  The guy in this case was and all
>> traffic was sourced from sport 32767 to dport 53.
> i've seen this from only a few times... one was which seems to be game2.kfc-css.com... both the address and the base kfc-css.com are listed in france...
>> I'd give them a firewall block.
> that's what i lie about our active response tool... it initiates a firewall block for alerts and does it pretty danged quickly, too...
> i'm trying to figure out what, exactly, is meant by the rule's MSG text, though... "DNS Amplification"??? what are they trying to do, query DNS via our DNS server(s) and sending a lot of requests for the same addresses?
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Jørgen Bøhnsdalen
Security Analyst

More information about the Emerging-sigs mailing list