TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
592
header). If the OFFSET value points to an out of boundary data, which could leads to a DOS attack. These are protocol
anomalies that should be detected as some DNS handlers could fail to handle such packets, resulting in denial of
service conditions.
Signature ID: 24957
DNS integrity check in Resourse Records and RR count.
Threat Level: Critical
Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain
names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP
address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS server typically uses UDP port 53 and tries to exchange dns information in the form of RRs(resource
records) with DNS query/response packets. This rule gets hit when system catches a malformed DNS packet having
mismatch in RR count field( i.e, in question RRs, answer RRs, additional RRs, authority RRs.) and number of resource
records in that section. These integrity errors are protocol anomalies that should be detected as some DNS handlers
could fail to handle such packets, resulting in denial of service conditions.
Signature ID: 24958
DNS message integrity check for abnormal RR count.
Threat Level: Critical
Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain
names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP
address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS server typically uses UDP port 53 tries to exchange information in the form of RRs(resource records)
with DNS query/responce packets. This rule gets hit when large number(say >200) of RRs seen in particular section ie,
either in question RRs, answer RRs, additional RRs, authourization RRs. This kind of protocol anomalies that should
be detected as some DNS handlers could fail to handle such packets, resulting in denial of service conditions.
Signature ID: 24959
DNS integrity check in Resourse Record count and data.
Threat Level: Critical
Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain
names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP
address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS server typically uses UDP port 53 tries to exchange the dns information in the form of RRs(resource
records) with DNS query/responce packets. This rule gets hit when system catches a malformed DNS packet having
insufficient data (i.e, mismatch in the RR count and data buffer) seen. These integrity errors are protocol anomalies that
should be detected as some DNS handlers could fail to handle such packets, resulting in denial of service conditions.
Signature ID: 24961
DNS message pointer loop vulnerability
Threat Level: Critical
Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain
names and IP addresses.DNS clients send DNS queries with domain names, and the DNS servers answer with the IP
address associated with the domain name. DNS typically uses UDP port 53.DNS uses compression to eliminate the
repetition of domain names in a message in order to reduce message size.The compression schema uses a pointer to
refer to a prior name string when the string repeats later in a DNS message.A DNS message containing a pointer that
points to itself, or pointers that point to each other, result in a pointer loop. Pointer loops are protocol anomalies that
should be detected as some DNS handlers could fail to handle such packets, resulting in denial of service conditions.