forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdns_amplification_attacks.yml
More file actions
46 lines (45 loc) · 2.17 KB
/
dns_amplification_attacks.yml
File metadata and controls
46 lines (45 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
category:
- Abuse
channel: ESCU
creation_date: '2016-08-24'
description: DNS poses a serious threat as a Denial of Service (DOS) amplifier, if
it responds to `ANY` queries. This Analytic Story can help you detect attackers
who may be abusing your company's DNS infrastructure to launch amplification attacks,
causing Denial of Service to other victims.
detections:
- detection_id: 8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb
name: Large Volume of DNS ANY Queries
type: splunk
id: e8afd39e-3294-11e6-b39d-a45e60c6700
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2016-09-13'
name: DNS Amplification Attacks
narrative: 'The Domain Name System (DNS) is the protocol used to map domain names
to IP addresses. It has been proven to work very well for its intended function.
However if DNS is misconfigured, servers can be abused by attackers to levy amplification
or redirection attacks against victims. Because DNS responses to `ANY` queries are
so much larger than the queries themselves--and can be made with a UDP packet, which
does not require a handshake--attackers can spoof the source address of the packet
and cause much more data to be sent to the victim than if they sent the traffic
themselves. The `ANY` requests are will be larger than normal DNS server requests,
due to the fact that the server provides significant details, such as MX records
and associated IP addresses. A large volume of this traffic can result in a DOS
on the victim''s machine. This misconfiguration leads to two possible victims, the
first being the DNS servers participating in an attack and the other being the hosts
that are the targets of the DOS attack.\
The search in this story can help you to detect if attackers are abusing your company''s
DNS infrastructure to launch DNS amplification attacks causing Denial of Service
to other victims.'
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
references:
- https://www.us-cert.gov/ncas/alerts/TA13-088A
- https://www.imperva.com/learn/application-security/dns-amplification/
spec_version: 2
usecase: Security Monitoring
version: '1.0'