TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

581

582

583

584

585

586

587

588

589

590

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

590

Signature ID: 24025

DNS UDP inverse query overflow attempt

Threat Level: Severe

Industry ID: CVE-1999-0009 Bugtraq: 134

Signature Description: A buffer overflow exists in certain versions of BIND, the nameserver daemon maintained by

the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse

query. Upon a memory copy, portions of the program can be overwritten, and arbitrary commands run on the affected

server.When using UDP this can result in the attacker causing a heap overflow.Upgrading to the latest version of bind

will eliminate this vulnerability.

Signature ID: 24950

Possible TCP DNS Buffer Overflow Vulnerability

Threat Level: Critical

Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain

names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP

address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected

systems. DNS server typically uses UDP port 53 and tries to exchange the dns information in the form of RRs(resource

records) with DNS query/response packets. This protocol anomaly is generated when the TCP DNS packet with the

data length less than 12 bytes is received. The minimum header length of the DNS packet would be 12 bytes. If we

receive a DNS packet with the length less than this the minimum header length then the packet is treated as a

malformed DNS packet.

Signature ID: 24951

Possible UDP DNS Buffer Overflow Vulnerability

Threat Level: Critical

Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain

names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP

address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected

systems. DNS server typically uses UDP port 53 and tries to exchange the dns information in the form of RRs(resource

records) with DNS query/response packets. This protocol anomaly is triggered when the UDP DNS packet with the

data length less than 12 bytes or greater than 512 bytes is received. The minimum data length of the DNS packet should

be >= 12 bytes. In case of DNS over UDP the maximum permitted length of the DNS message is limited to 512 bytes.

For the packet with message size more than 512 bytes the client should negotiate the DNS over TCP to get the full

message. So this protocol anomaly is triggered when the data length is not conforming the UDP DNS protocol.

Signature ID: 24952

Mismatch of DNS Query & Reponse IDs

Threat Level: Information

Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain

names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP

address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected

systems. DNS server typically uses UDP port 53 and tries to exchange the dns information in the form of RRs(resource

records) with DNS query/response packets. Each DNS message header contains filed called TransactionID.

Client/Server should keep same transaction Identifier in query & response messages. This Rule generates a log message

whenever a DNS response is received with an ID that does not match with any of the IDs that were used in outstanding

queries.