THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

Reply
Highlighted
L3 Networker

THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

Hello Team,

We got the below threat alert from the panorama and not able to understand the most of the part , like source and Destination . Both IP looks the outside my network but still its showing the rule: Outbound_Default_URL_IPS . One of my outbound policy with threat prevention rule. Can any one please explain me this .

Wondering How can an external IP be the source IP on an internal interface of the firewall?

THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

domain: 1
receive_time: 2014/08/13 03:10:35
serial: 001801004403
seqno: 30536660
actionflags: 0x0
type: THREAT
subtype: vulnerability
config_ver: 1
time_generated: 2014/08/13 03:10:30
src: 169.254.254.238
dst: 169.254.255.255
natsrc:
natdst:
rule: Outbound_Default_URL_IPS
srcuser:
dstuser:
srcloc: 169.254.0.0-169.254.255.255
dstloc: 169.254.0.0-169.254.255.255
app: dns
vsys: vsys1
from: trust
to: untrust
inbound_if: ethernet1/2
outbound_if: ethernet1/1
logset: Panorama
time_received: 2014/08/13 03:10:34
sessionid: 7567
repeatcnt: 1
sport: 53
dport: 53
natsport: 0
natdport: 0
flags: 0x80000000
proto: udp
action: alert
cpadding: 0
threatid: Microsoft Windows NAT Helper DNS Query Denial of Service(31339)
category: any
contenttype:
behavior: 0x0400000000000000000000000000000000000000000000000000000000000000
severity: high
direction: client-to-server
misc:

L7 Applicator

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

The address is not outside your network, these are the reserved addresses for DHCP local link autoconfiguration when no DHCP server is seen by a client requesting a DHCP address.  You can see the RFC and a general description on the web sites here.

RFC 3927 - Dynamic Configuration of IPv4 Link-Local Addresses

The TCP/IP Guide - DHCP Autoconfiguration / Automatic Private IP Addressing (APIPA)

For any threat the place to go is search of the threat vault for the detail.  Take the threat number and plug it into the search form here.

https://threatvault.paloaltonetworks.com/

And the detail on this threat is then here.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/31339

the result is that this is an attack on windows servers in your environment.  So the challenge now is to see which of your workstations are responsible for sending out these packets.  This will be a manual process since all you have here in the logs is the bogus DHCP link local address.  You will need to trace back to the switches to see if you can associate this traffic with mac addresses as some point in the chain.

Once you find the computers responsible you will need to clean whatever malware on them is creating this traffic.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

I hate to sound like a wet blanket, but we see a lot of false positives from PA's threat signature engine. So tiwara I would suggest you be careful in "jumping the gun" and assuming the client is infected... it might just be normal Windows behavior

L3 Networker

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

Hello All,

We again got the same alert from the PA threat engine , however we are not able to find the IP in the network , also its not associated to any of the web server. If its a false positive how we can stop these alerts top generate.

Thanks

Amber

L4 Transporter

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

Amber,

You can create a threat exception by clicking on the name of the threat in the threat log. The pop-up window will allow you to select which security profile to add the exemption and also add an IP address if you only want to turn the signature off for a specific IP address as opposed to turning the signature off for the entire security profile.

Alfred

L3 Networker

Re: THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert

Awesome ... Completed. Thanks Everyone :smileyhappy:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!