topic Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert in General Topics

THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

tiwara — Thu, 14 Aug 2014 19:52:10 GMT

Hello Team,

We got the below threat alert from the panorama and not able to understand the most of the part , like source and Destination . Both IP looks the outside my network but still its showing the rule: Outbound_Default_URL_IPS . One of my outbound policy with threat prevention rule. Can any one please explain me this .

Wondering How can an external IP be the source IP on an internal interface of the firewall?

THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

domain: 1
receive_time: 2014/08/13 03:10:35
serial: 001801004403
seqno: 30536660
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2014/08/13 03:10:30
src: 169.254.254.238
dst: 169.254.255.255
natsrc:
natdst:
rule: Outbound_Default_URL_IPS
srcuser:
dstuser:
srcloc: 169.254.0.0-169.254.255.255
dstloc: 169.254.0.0-169.254.255.255
app: dns
vsys: vsys1
from: trust
to: untrust
inbound_if: ethernet1/2
outbound_if: ethernet1/1
logset: Panorama
time_received: 2014/08/13 03:10:34
sessionid: 7567
repeatcnt: 1
sport: 53
dport: 53
natsport: 0
natdport: 0
flags: 0x80000000
proto: udp
action: alert
cpadding: 0
threatid: Microsoft Windows NAT Helper DNS Query Denial of Service(31339)
category: any
contenttype:
behavior: 0x0400000000000000000000000000000000000000000000000000000000000000
severity: high
direction: client-to-server
misc:

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

pulukas — Thu, 14 Aug 2014 21:20:29 GMT

The address is not outside your network, these are the reserved addresses for DHCP local link autoconfiguration when no DHCP server is seen by a client requesting a DHCP address. You can see the RFC and a general description on the web sites here.

RFC 3927 - Dynamic Configuration of IPv4 Link-Local Addresses

The TCP/IP Guide - DHCP Autoconfiguration / Automatic Private IP Addressing (APIPA)

For any threat the place to go is search of the threat vault for the detail. Take the threat number and plug it into the search form here.

https://threatvault.paloaltonetworks.com/

And the detail on this threat is then here.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/31339

the result is that this is an attack on windows servers in your environment. So the challenge now is to see which of your workstations are responsible for sending out these packets. This will be a manual process since all you have here in the logs is the bogus DHCP link local address. You will need to trace back to the switches to see if you can associate this traffic with mac addresses as some point in the chain.

Once you find the computers responsible you will need to clean whatever malware on them is creating this traffic.

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

ericgearhart — Fri, 15 Aug 2014 12:52:57 GMT

I hate to sound like a wet blanket, but we see a lot of false positives from PA's threat signature engine. So tiwara I would suggest you be careful in "jumping the gun" and assuming the client is infected... it might just be normal Windows behavior

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

tiwara — Mon, 18 Aug 2014 14:57:23 GMT

Hello All,

We again got the same alert from the PA threat engine , however we are not able to find the IP in the network , also its not associated to any of the web server. If its a false positive how we can stop these alerts top generate.

Thanks

Amber

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

fredallee — Mon, 18 Aug 2014 22:04:37 GMT

Amber,

You can create a threat exception by clicking on the name of the threat in the threat log. The pop-up window will allow you to select which security profile to add the exemption and also add an IP address if you only want to turn the signature off for a specific IP address as opposed to turning the signature off for the entire security profile.

Alfred

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

tiwara — Tue, 19 Aug 2014 16:17:47 GMT

Awesome ... Completed. Thanks Everyone

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Que

ENSANANTES — Tue, 10 Dec 2019 09:27:11 GMT

I know it was an old thread. Sorry for that.

I work on PANOS 9.0.5.and I see a lot a this Alert every day . According to CVE-2006-5614, this threat use Windows XP process. However, all my computers are on Windows 10 1909 and no viruses were detected on. Other strange fact is the target. The "threat" don't aim DNS server but the Gateway (here PA850).

For you , is this a false positive ? Shall i open a case?

Thanks for your help.

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Que

Wszebor — Wed, 07 Aug 2024 14:07:55 GMT

I have the same problem. Host is working on Windows 10 and is targeting not the DNS server, but the Gateway.