Претражи подршку

Избегните преваре подршке. Никада од вас нећемо тражити да зовете или шаљете поруке на број или да делите личне податке. Пријавите сумњиве радње преко „Пријавите злоупотребу” опције.

Сазнај више

Firefox 36 send DNS ANY requests?

  • 1 одговор
  • 1 има овај проблем
  • 9 прегледа
  • Последњи одговор послао philipp

more options

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this?

'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain.

Hopefully this will keep others from chasing a false positive."

I am an incident handler at the Internet Storm Center. One of our readers sent in the following concern with Firefox 36. Can anyone shed any light on this? 'Our organization utilizes a firewall with IPS as a guard between our clients and our servers. Beginning late Wednesday, an IPS rule on this firewall began to flag DNS ANY traffic destined from a client to our internal DNS servers - logs indicated that the number of events originating from this client were enough to potentially be related to some type of botnet performing a DNS Amplification DDOS. The machine was confiscated and scanned, but was clean. The next day (2/26), the number of clients performing DNS ANY queries jumped to just under 10. Our team studied the traffic, but was having a hard time pinpointing malicious activity - we confiscated these machines as well in an abundance of caution. The issue persisted today, but we were able to catch a client with Firefox 36 performing the query. We cross-referenced our other suspect clients and confirmed that they all had upgraded to Firefox 36 just before sending DNS ANY queries. It appears that there is a bug in Firefox 36 that causes the browser to send ANY queries instead of AAAA queries. By changing "network.dns.get-ttl" to "False" in about:config, we were able to eliminate this traffic on all of the machines that were sending DNS ANY queries. I've attached a screen shot of a PCAP captured at the firewall showing an A query, followed by an ANY query of a facebook domain. Hopefully this will keep others from chasing a false positive."

Сви одговори (1)

more options

hi Namedeplume, thanks for bringing this up. the problem is tracked in bug #1093983.