|
-
February 16th, 2004, 07:20 PM
#1
 More DNS "fun"...
A couple of weeks ago I posted about some BIND/DNS based attacks we were seeing here at work. They were the BIND Infoleak buffer overflow and DNS UDP oversized packet attacks. Both of these have no false positives known and are definate attacks, but no one seems to know why we are seeing so many of these attacks. I have chatted with some folks on different mailing lists, and even my IDS provider and no one knows of any 0-days that are floating around involving BIND or DNS in general... so it seems they are an ineffectual attack against our servers but they are still happening a LOT.
Now, this morning something new started popping up. Once again a DNS attack, no false positives known and no reason behind it. The alerts I'm seeing this morning started around 6am PST and are on going... and there are a LOT of them again.
Code:
Time
05:43:26 16-Feb-2004
Host
one of my IDS boxes
Alert ID
dns_labels:binary_alert
Source ID
dns_labels:labels_source
Alert Message
attackers IP address... owned by Stanford University -> one of my BIND boxes id 2396 DNS label contains binary data
severity
Attack
OVERVIEW
A DNS label contains binary data.
WHY THIS IS IMPORTANT
A DNS label contains binary data. This can be indicative of an attempted buffer overflow or
format string attack.
TECHNICAL INFORMATION
According to RFC 1035, encoded DNS labelnames should only contain ASCII characters. Buffer
overflows and format string attacks often use the labelnames to hold shellcode when
exploiting a bug in a DNS server. This alert will trigger when a labelname contains non-ASCII
data, often indicative of an attack.
This individual alert can be disabled by going to Administration, Variables Configuration, and
setting ALERT_ON_BINARY to 0.
FALSE POSITIVES
None known.
REFERENCES
RFC 1035: Domain Names - Implementation and Specification
http://www.faqs.org/rfcs/rfc1035.html
So, once again I'll put this out here. If anyone has any clue as to why we are seeing so many of these DNS attacks drop me a line. I'm at wits end at trying to figure this out. Our boxes are patched up to date, both OS and application versions. They are fairly hardened too with no unneeded applications installed. I'm getting tired of seeing these attacks on my DNS boxes and they are starting to fill my logs up :-/
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote