TippingPoint DNS Version Request increase

Published: 2012-07-21
Last Updated: 2012-07-21 04:17:56 UTC
by Rick Wanner (Version: 1)
3 comment(s)
We have received a number of reports from TippingPoint customers that the normally quiet filter #560: DNS version request has been triggering in larger than normal numbers.  The indications are that a large number of source IPs are involved, but the volume is not high enough to be of a concern for potential DOS.  We have not yet been able to view any packets from this traffic.
If anybody has any more information, or packets we can review, we would love to hear from you.
The summary of filter #560 is:
"This filter detects a request to obtain the version number of the DNS Bind Server. The attacker uses the version information to determine whether the DNS Server is vulnerable to certain buffer overflow or Denial of Service attacks."

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: DNS IDS TippingPoint
3 comment(s)
Diary Archives