GEN:SID 1:303
Message DNS EXPLOIT named tsig overflow attempt
Summary A specific inverse query has been performed against your DNS server as a
precursor to a possible transaction signature (TSIG) buffer overflow
attack.
Impact attempt to gain access to information required for the TSIG exploit.  A
TSIG buffer overflow exploit attempt will usually follow if there is a
response to the inverse query.

Detailed Information This is an attempt to perform a specific DNS inverse query against your
DNS server.  While this specific action is not harmful itself, it
signals a precusor to a possible buffer overflow attack for a TSIG
vulernability.  The inverse query is performed for reconnaissance for
the TSIG attack.
Affected Systems BIND Versions 4 and through 8.2 are susceptible to the inverse query
information leak.

Attack Scenarios The envisioned scenario is that if a DNS server responds to the inverse
query and leaks information required in the actual attack, the exploit
code then attacks the TSIG buffer overflow vulnerability.  If this is
successful, the attacker gains access to the DNS server at the privilege
of the DNS daemon, named (potentially root).

Ease of Attack Code is available to exploit the vulnerability.
Corrective Action Update to BIND versions greater than 8.2 to prevent the information
leak.
Additional References Bugtraq:
http://www.securityfocus.com/bid/2302

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010

Arachnids:
http://www.whitehats.com/info/IDS482
Rule References arachnids: 482
bugtraq: 2302
cve: 2001-0010