1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
|
Rule:
--
Sid:
100000161
--
Summary:
This event is generated when an abnormally larger number of unresolvable DNS
queries are generated by a particular host.
--
Impact:
This can be an indication of a denial of service attack in progress.
--
Detailed Information:
Since SIP systems can be overwhelmed by being forced to deal with an overly
large number of invalid hostnames, this rule is designed to detect such attacks
by searching for large volumes of DNS responses which contain the message "No
such name".
--
Affected Systems:
Any which implement the SIP protocol.
--
Attack Scenarios:
An attacker could use a script to flood a system with requests from invalid
hosts, causing a denial of service.
--
Ease of Attack:
Simple, as it is trivial to write a script to generate requests with invalid
hostnames.
--
False Positives:
None known.
--
False Negatives:
None known.
--
Corrective Action:
Use a firewall or other access-restriction device to block unwanted messages at
your network's border.
--
Contributors:
Jiri Markl <jiri.markl@nextsoft.cz>
Sourcefire Research Team
--
Additional References
Other:
--
|