Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix), IBM Security Network Protection, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, BlackICE Agent for Server, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Network IPS:
This signature detects a domain that has exceeded the RFC defined maximum.
This signature detects a Windows event log message indicating that a domain name exceeding the maximum name length has been detected by the Microsoft DNS Server.
This signature was replaced by DNS_Hostname_Overflow_Verylong.
RealSecure Server Sensor: Queries requesting non-RFC compliant hostnames will appear to be this attack.
Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.0, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Network Protection: 5.1, IBM Security Host Protection for Servers (Windows): 18.104.22.1680, RealSecure Server Sensor: 7.0, RealSecure Server Sensor: 5.5, IBM Security Host Protection for Servers (Windows): 1.0.914.0, BlackICE Agent for Server: 3.6, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0, Proventia Network IDS: A Series, IBM Security Host Protection for Desktops: 8.0.614.1, Proventia Network IPS: 2.0
Various vendors Any application, DNS DNS, Microsoft Windows NT: 4.0, Microsoft Windows 2000, ISC BIND: 4.9.5, ISC BIND: 4.9.5 P1, ISC BIND: 4.9.6, ISC BIND: 4.9.7, ISC BIND: 4.9.2, ISC BIND: 4, ISC BIND: 4.9.3, ISC BIND: 4.9.4, ISC BIND: 4.9.8, ISC BIND: 4.9.9, ISC BIND: 4.9.10, ISC BIND: 4.9
DNS responses for hostnames should not exceed a certain fixed length. A domain name exceeding the maximum length of 255 octets could indicate one of the following events:
When Microsoft DNS Server encounters a resource record with a domain name exceeding the maximum length of 255 octets, the resource record is ignored by the DNS server.
Versions 4.x and earlier of BIND (Berkeley Internet Name Domain, a DNS server available for most versions of Unix) do not validate the maximum domain name length of 255 octets. Hostnames longer than this length can be returned to client programs performing DNS lookups. Client programs that do not check the length of the hostnames returned may overflow internal buffers when copying this hostname, allowing a remote attacker to gain root access or execute arbitrary commands on a targeted client computer.
Investigate the source of the invalid domain name. Ensure that the master DNS server is using the correct zone file. Correct any errors in the DNS zone file, such as bad DNS resource records, that are reported in the DNS error log. Ensure that security permissions are configured so that only the intended security principals have access.
— AND —
If you are using a version of BIND earlier than 4.x, upgrade to the latest version of BIND (8.2.2 patchlevel 5 or later), available from the BIND Web site. See References.
Microsoft TechNet, Windows NT Server Concepts and Planning Manual
Chapter 9 - Monitoring Events
Internet Software Consortium (ISC) Web site
DNS hostname exceeding maximum length