Techniques
Sample rules
Large Volume of DNS ANY Queries
- source: splunk
- technicques:
- T1498
- T1498.002
Description
The search is used to identify attempts to use your DNS Infrastructure for DDoS purposes via a DNS amplification attack leveraging ANY queries.
Detection logic
| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY" by "DNS.dest"
| `drop_dm_object_name("DNS")`
| where count>200
| `large_volume_of_dns_any_queries_filter`