Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: TippingPoint DNS Version Request increase SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
TippingPoint DNS Version Request increase
We have received a number of reports from TippingPoint customers that the normally quiet filter #560: DNS version request has been triggering in larger than normal numbers.  The indications are that a large number of source IPs are involved, but the volume is not high enough to be of a concern for potential DOS.  We have not yet been able to view any packets from this traffic.
If anybody has any more information, or packets we can review, we would love to hear from you.
The summary of filter #560 is:
"This filter detects a request to obtain the version number of the DNS Bind Server. The attacker uses the version information to determine whether the DNS Server is vulnerable to certain buffer overflow or Denial of Service attacks."

-- Rick Wanner - rwanner at isc dot sans dot org - - Twitter:namedeplume (Protected)


324 Posts
ISC Handler
Jul 21st 2012
Yeah, seeing this triggering snort alerts:

Signature Total Events IP Srcs IP Dsts Sensor Latest Timestamp
GPL DNS named version attempt 76629 11383 55608 1 2012-07-22 07:43:06

from a quick look all packets appear identical.

1 Posts
Ya, saw a distinct increase in this traffic on the 20th mostly from China... back to "normal" now.
1 Posts
We are seeing this again. Did anyone determine the source or find a need/method to resolve? Ours also logged many hits for a relatively short period and then stopped.
1 Posts

Sign Up for Free or Log In to start participating in the conversation!