Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 901

Table 122: Deep Inspection Alarm Log Entries (continued)
Attack Name
DNS:EXPLOIT:REQUEST-SHORT-MSG
DNS:EXPLOIT:TYPE-AXFR
DNS:HEADERERROR:INVALID-OPCODE
DNS:OVERFLOW:FF-FF-BIN
DNS:OVERFLOW:INVALID-LABEL-LEN
DNS:OVERFLOW:INVALID-POINTER
DNS:OVERFLOW:NAME-TOO-LONG
DNS:OVERFLOW:NXT-OVERFLOW
DNS:OVERFLOW:OPT-DOS
DNS:OVERFLOW:OVERSIZED-UDP-MSG
DNS:OVERFLOW:SIG-OVERFLOW
DNS:OVERFLOW:TOO-LONG-TCP-MSG
Copyright © 2010, Juniper Networks, Inc.
Attack Description
This protocol anomaly is a DNS message that ended
prematurely. This may indicate an exploit attempt.
This protocol anomaly is a zone transfer attempt. This may
indicate an attempt to obtain information about an entire
domain.
This protocol anomaly is a DNS request/reply with an invalid
value in the header OPCODE field. This may indicate an
exploit attempt.
This signature detects attempts to create buffer overflows.
Attackers may send maliciously crafted packets to DNS
servers to overflow the buffer and gain root access.
This protocol anomaly is a DNS request/reply with a label
that exceeds the maximum length (63) specified in the RFC.
This may indicate a buffer overflow attempt.
This protocol anomaly is a DNS request/reply with a pointer
that points beyond the end of the data. This may indicate a
buffer overflow or denial-of-service (DoS) attempt.
This protocol anomaly is a DNS name that exceeds 255
characters. This may cause problems for some DNS servers.
This protocol anomaly is a suspiciously large NXT resource
record in a DNS transaction. BIND versions 8.2 through 8.2.1
are vulnerable to a buffer overflow in the processing of NXT
resource records.
This protocol anomaly is a suspiciously long OPT resource
record. All versions of BIND up to version 8.3.3 are vulnerable
to a denial of service attack. An attacker can crash the server
by requesting a subdomain that does not exist with an OPT
resource record that has a very large UDP payload size.
This protocol anomaly is a DNS UDP-based request/reply
that exceeds the maximum length (512) specified in RFC.
This may indicate a buffer overflow attempt.
This protocol anomaly is a TCP-based DNS transaction with
a suspiciously small SIG resource record. Bind versions 8 to
8.3.3 are vulnerable to a heap overflow in the code that
handles SIG resource records. Attackers may execute
arbitrary code on the server.
This protocol anomaly is a DNS TCP-based request/reply
that exceeds the maximum length specified in the message
header. This may indicate a buffer overflow or an exploit
attempt.
Appendix E: Log Entries
Severity Versions
high sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
critical sos5.1.0
critical sos5.1.0
high sos5.1.0
critical sos5.1.0
high sos5.1.0
851