PROTOCOL-DNS -- Snort alerted on a Domain Name Server (DNS) protocol issue. These packets travel over UDP on port 53 to serve DNS queries--user website requests through a browser. Several vulnerability use-cases exist (ie, additional data could be sent with a request, which would contact a DNS server pre-prepared to send information back and forth).
PROTOCOL-DNS DNS root query traffic amplification attempt
This event is generated when a DNS root query is detected on the network. Impact: Denial of Service (DoS) Details: This traffic indicates that a DDoS attack may be underway. A DNS amplification attack that merely queries nameservers for the "." domain will cause this event to be generated. The domain queried for is the root server domain, thus the response will be large. This response traffic is targeted at an endpoint that is not the real source of the query, the intent is to cause a DoS on the spoofed source. Ease of Attack: Simple.
No information provided
No public information
Known false positives, with the described conditions
Legitimate queries for "." would cause this rule to fire, however the rule applies thresholding to mitigate the possibility of genuine queries triggering the rule.
Cisco Talos
No rule groups
None
No information provided
None
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
