Signature Detail

Short Name	DNS:TUNNEL:SHORT-TTL
Severity	Medium
Recommended	Yes
Category	DNS
Keywords	Short Time To Live Response
Release Date	2013/12/04
Update Number	2324
Supported Platforms	idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

DNS: Short Time To Live Response

This signature detects DNS responses with very short Time To Live (TTL) values. This is not normal for DNS and is indicative of DNS tunneling. Dropping these packets will usually block the tunnel.

References

CVE: CVE-2014-3214
URL: http://hsc.fr/ressources/outils/dns2tcp/
URL: http://code.kryo.se/iodine/
URL: http://dankaminsky.com/2004/07/29/51/

Signature Detail

Short Name

Severity

Recommended

Category

Keywords

Release Date

Update Number

Supported Platforms

DNS: Short Time To Live Response

References