Sinkhole explosion

Reply
Highlighted
L2 Linker

Sinkhole explosion

Since midday yesterday (Monday Jan 26th) we've seen an explosion in sinkhole detections.
Previous moths sees one ot two a day in average, latest 24 hrs we've had more than 16.000 detections. This started after the antivirusupdate on Monday.

When checking a few of the domains via on-line URL-checking tools, no suspicious content is detected.

Latest antivirus signature contained a lot of Suspicious DNS adresses, but none of 'ours'

Has anyone else seen this ?

All DNS requests are blocked so no dangerous situation appears, but we suspect most of these requests to be false positive.

Can someone at PaloAlto check on this please?

Tags (2)
L0 Member

Re: Sinkhole explosion

L4 Transporter

Re: Sinkhole explosion

As per ECommand, this is brought up in the other thread.  There is a bug in the latest AV update that is causing DNS queries to be caught.

L7 Applicator

Re: Sinkhole explosion

Hello Haverstad,

There is a large number of changes made on the recent Antivirus database version, regarding DNS signature. Almost 80,000 new DNS signatures has been added to this database. Could you please let me know the AV version currently installed on your PAN firewall.


Thanks

L4 Transporter

Re: Sinkhole explosion

Interesting as today I enabled Spyware and Virus signatures on outbound DNS from our Domain Controllers and we're also seeing thousands of hits/matches.

Domains such as:

  • d.audienceiq.com
  • d.p-td.com
  • p.adsymptotic.com


They flag as Spyware so I assume it's the anti-spyware signatures catching them?


Fair to say I switched off email notifications pretty quickly :smileyhappy:

L1 Bithead

Re: Sinkhole explosion

Phew! Same here. I am going email crazy!!

L4 Transporter

Re: Sinkhole explosion

Hi - we have also seen this huge explosion in DNS alerts.

We have also noticed an odd aspect - the domain name in the Palo UI alert appears to be different to the email alerts generated by Palo e.g.

  • Panorama UI log entry shows Suspicious DNS Query (generic:bam.nr-data.net) - ID 4091002
  • but the email generated from the event shows: Suspicious DNS Query (generic:ozgghm.com)(4091002)

so the same ID reference, but a different domain.

Rgds

L4 Transporter

Re: Sinkhole explosion

I am seeing this as well. Crazy!

L2 Linker

Re: Sinkhole explosion

We're running AV 1473-1947, daily automatic update.

L2 Linker

Re: Sinkhole explosion

After update to 1474-1949 things seems better.

It's now almost eerie quiet in my in-box

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!