Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 3019 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Protocol Attacks - All coming from Yahoo and Google Name Servers

TheBeardedOne

Hi all,

I'm still a rookie when it comes to this beast of a product so please bear with me.

I'm seeing a lot of "PROTOCOL-DNS single byte encoded name response" attacks and they all originate from Yahoo and Google name servers.

My question is 3 parts, why, what does it mean and how can i stop it?

I have Sophos XG running as a VM with a single NIC configured as passthrough so the XG can connect directly to the web using PPPoE. On the LAN side i have Pi-Hole running with Unbound is configured to use Root Name Server.

Pi-Hole is the DHCP and DNS server for the network. Clients point diectly at Pi-Hole for DNS queries. The XG points at the Pi-Hole for DNS queries too.

I don't have a problem with DNS resolution, it works well. I just don't like seeing attacks and would like to understand whats going on and prevent it if possible.

This screenshot shows the sheer number of "attacks". It seems like a LOT considering the XG has only been in place for around 18 hours.

I'm hoping someone with more experience can enlighten me.
 
Let me know if you need any additional info.
 
Thanks
TBO
 


This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    If you have applied IPS policy on the firewall rule from where the DNS traffic is passing and if the traffic matches with the signature of IPS policy, it will trigger the events shown in the screenshot.

    For more details, please follow the given links.

    https://www.snort.org/rule_docs/1-14777

    https://community.sophos.com/kb/en-us/132879

    https://docs.sophos.com/nsg/sophos-firewall/v16058/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/IpsPolicyManage.html

  • 0 in reply to Keyur

    Hi Keyur,

    Thank you very much for getting back to me.

    Despite not understanding why, i have created an exception for DNS as described in KB 132879. After creating that rule i haven't seen the number of Protocol DNS attacks increase so it appears those connections are coming through.

    I would really like to understand why i'm allowing these connection through though. According to the Snort page you linked to, using this kind of attack an attacker can cause a DoS and execute code. Is that still the case? If so, why let it through?

    If i'm honest i'd rather not use Google or Yahoo name servers for resolution and DNS resolution was working before hand.

    Is there a way to drop them before they hit the IPS?

    Thanks

    TBO

  • 0 in reply to TheBeardedOne

    Do you use any kind of Symantec Software in your Network? 

    Most likely it could be false-positive. The CVE is kinda Old, so maybe the XG Snort Engine false-positive classify your network traffic. 

    If you have multiple such false positive, you could report it to Sophos. 

    It is kinda hard to perform the steps, because Sophos will have to create traffic dump to analyze the traffic. 

    Do you have a way to reproduce this? 

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    Sorry for the delay getting back to you. Been working away a lot over the past couple of weeks.

    To stop those "attacks" filling up the logs i created a rule that allowed them through as suggested a couple of posts up.

    All i would have to do to recreate the issue is delete or disable that rule.

    I'd be interested in blocking them completely, i guess i would create a rule that would drop packets from the IP addresses these "attacks" are originating from. Essentially Google and Yahoo name servers.

    I'm still trying to wrap my head around this beast of a product.

    For now i'll play around with creating rules to drop packets at the firewall before IPS gets involved.

    Thanks for the assistance all!

Reply
  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    Sorry for the delay getting back to you. Been working away a lot over the past couple of weeks.

    To stop those "attacks" filling up the logs i created a rule that allowed them through as suggested a couple of posts up.

    All i would have to do to recreate the issue is delete or disable that rule.

    I'd be interested in blocking them completely, i guess i would create a rule that would drop packets from the IP addresses these "attacks" are originating from. Essentially Google and Yahoo name servers.

    I'm still trying to wrap my head around this beast of a product.

    For now i'll play around with creating rules to drop packets at the firewall before IPS gets involved.

    Thanks for the assistance all!

Children
No Data