topic Re: Find the source for &quot;DNS amplification attack response&quot; in General Topics https://live.paloaltonetworks.com/t5/general-topics/find-the-source-for-quot-dns-amplification-attack-response-quot/m-p/585300#M116852 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/922167235">@Arman_Zaheri</a> ,</P> <P>&nbsp;</P> <P><SPAN>The (36029) signature triggers when DNS TYPE is TXT, section is ANSWER, and length between 3800 and 4000 in the response.</SPAN></P> <P>&nbsp;</P> <P>Grab the PCAP from the threat log (you might have to enable PCAP in the TID first).&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiwi_0-1714463821455.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59347iCDC139A4DD1D5492/image-size/medium?v=v2&amp;px=400" role="button" title="kiwi_0-1714463821455.png" alt="kiwi_0-1714463821455.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Send the PCAP over to TAC for analysis.&nbsp; If this is truly a FP then the signature might have to be updated.</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Tue, 30 Apr 2024 08:04:36 GMT kiwi 2024-04-30T08:04:36Z Find the source for "DNS amplification attack response" https://live.paloaltonetworks.com/t5/general-topics/find-the-source-for-quot-dns-amplification-attack-response-quot/m-p/585211#M116843 <P>Hello,</P> <P>We receive many "<SPAN>DNS amplification attack response" alerts with the source of our internal DNS servers toward public DNS servers on the Internet. How can we know whether these alerts are not false positives and if they are true positive, how to find the main endpoint responsible for this type of attack?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thank you all <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P> Mon, 29 Apr 2024 12:11:02 GMT https://live.paloaltonetworks.com/t5/general-topics/find-the-source-for-quot-dns-amplification-attack-response-quot/m-p/585211#M116843 Arman_Zaheri 2024-04-29T12:11:02Z Re: Find the source for "DNS amplification attack response" https://live.paloaltonetworks.com/t5/general-topics/find-the-source-for-quot-dns-amplification-attack-response-quot/m-p/585300#M116852 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/922167235">@Arman_Zaheri</a> ,</P> <P>&nbsp;</P> <P><SPAN>The (36029) signature triggers when DNS TYPE is TXT, section is ANSWER, and length between 3800 and 4000 in the response.</SPAN></P> <P>&nbsp;</P> <P>Grab the PCAP from the threat log (you might have to enable PCAP in the TID first).&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiwi_0-1714463821455.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59347iCDC139A4DD1D5492/image-size/medium?v=v2&amp;px=400" role="button" title="kiwi_0-1714463821455.png" alt="kiwi_0-1714463821455.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Send the PCAP over to TAC for analysis.&nbsp; If this is truly a FP then the signature might have to be updated.</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Tue, 30 Apr 2024 08:04:36 GMT https://live.paloaltonetworks.com/t5/general-topics/find-the-source-for-quot-dns-amplification-attack-response-quot/m-p/585300#M116852 kiwi 2024-04-30T08:04:36Z