title: Possible DNS Rebinding
id: ec5b8711-b550-4879-9660-568aaae2c3ea
status: experimental
description: 'Detects DNS-answer with TTL <10.'
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags:
    - attack.command_and_control
    - attack.t1043
logsource:
    product: dns
detection:
    selection:
        answer: '*'
    filter1:
        ttl: '>0'
    filter2:
        ttl: '<10'
    timeframe: 30s
    condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
level: medium