topic Re: What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack" in Advanced Threat Prevention Discussions

What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack"

Jitaphon — Thu, 23 Mar 2023 08:08:02 GMT

Hi All

I need to know about Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack". I found the firewall drop traffic and hit the threat id-40033, but we try to packet capture with this traffic for DNS query for same source and same destination is not reach 500 times per 60 seconds. Why Palo drop the query packet? and what's traffic that hit list the threat id-40033?

Re: What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack"

Raido_Rattameister — Thu, 23 Mar 2023 16:38:37 GMT

DNS ANY request means if client asks DNS server "give me all the data".

Now assume you host DNS server and receive DNS ANY request with forged source IP.

Incoming packet to you is small but outgoing packet you send out is big.

This can be used in DDoS attack if attacker sends DNS ANY requests with spoofed source IP of the victim.

DNS servers reply to victim and effectively attacker has achieved amplification attack.

You can test how DNS ANY request looks like from your computer command line:

nslookup -type=any www.ee

Re: What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack"

Jitaphon — Sun, 26 Mar 2023 14:32:06 GMT

@Raido_Rattameister

Thanks, I want to known, what traffic can be the cause of hit the Threat-ID?

Re: What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack"

Raido_Rattameister — Sun, 26 Mar 2023 16:57:30 GMT

DNS ANY request generates threat id 34842 (DNS ANY Request).

Multiple DNS ANY requests in a row generate 40033 (DNS ANY Queries Brute Force DOS Attack).

Re: What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack"

Jitaphon — Mon, 27 Mar 2023 06:12:39 GMT

@Raido_Rattameister

How can I check for this matter?
"Now assume you host DNS server and receive DNS ANY request with forged source IP."

"Incoming packet to you is small but outgoing packet you send out is big."

Re: What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack"

Raido_Rattameister — Mon, 27 Mar 2023 12:20:48 GMT

DNS ANY is logged under threat id 34842 so you can check firewall threat log using filter below..

( threatid eq 34842 )

Re: What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack"

ymiyashita — Tue, 28 Mar 2023 05:24:22 GMT

According to the KB,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC

40033 is triggered if a session has same source and same destination but triggers our child signature, 34842, 250 times in 30 seconds. (not 500 times per 60 seconds).

Re: What is Threat ID 40033 "DNS ANY Queries Brute Force DOS Attack"

Raido_Rattameister — Tue, 28 Mar 2023 05:45:05 GMT

Every time computer tries to resolve DNS request it will send out request to every DNS suffix it has.

In addition depending on operating system it might send those requests to all its DNS servers simultaneously .

Add count column and you see that single line can actually be multiple events.

Below is small demo I ran through firewall.