This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DNS big text threat seems to bypass security rule

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS big text threat seems to bypass security rule

mkeller
L1 Bithead

‎10-22-2015 06:29 AM

I have a strange circumstance here, I think. I've received several threats in my threat log for "DNS Answer Big TXT Record Response Anomaly" Threat ID 31580 (not sure if that's relevant or not, it just seems an odd similarity)

 

So yesterday I had a few instances of this threat from a particular IP. My usual response (like it or not) when I see threats that come through with an action of "allow" or "alert" and I see multiple atempts from the same source IP (and I can't refute the assumption that this is a threat and not mis-classified normal traffic) is to add the IP as a recognized address and put it in a group for "blocked IP's." I have a security rule that says to deny from the source in the "blocked IP's" group and coming in on the L3-untrust zone (which is where this threat comes in) and to any destination on L3-trust zone (which is the destination on these threats). So that's my setup, and I went to add this IP that got through yesterday to the block list, but it's already in the block list. Busy day yesterday, so I forgot about it - if the same IP tries again, I'll see it the next day.

 

So today I have the exact same circumstance with a different IP. So it seems that I have these threats that are for some reason ignoring the first security rule I have in place and making it through to the threat processor, where they're getting "allowed" or "alerted"

 

Thoughts on how this could be happening? my only other thought at this point is to try rebooting the firewall, but that seems far-fetched - why are all my other security rules working, and it's just these two IP's with this common threat that's getting through?

0 Likes Likes
1 REPLY 1

santonic
L6 Presenter

‎10-22-2015 06:43 AM

Because it's DNS answer. Session initiator (DNS query) is probably one of your DNS servers so session is allowed and response can come back.

 

 

0 Likes Likes
  • 1546 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks