Skip to main content

Excessive number of DNS failures requiring investigation

ID:excessive_dns_failures
Data type:DNS
Severity:
Low
MITRE ATT&CK:TA0011:T1071.004

Description

AlphaSOC detected an abnormally high number of DNS failures, which may indicate malicious activity. This pattern could be associated with domain generation algorithms (DGA), DNS tunneling, DNS reconnaissance, or DoS attacks. Adversaries often use these techniques for command and control communication, data exfiltration, or network mapping. The high failure rate suggests attempts to resolve non-existent or blocked domains, a common characteristic of these attack methods.

Impact

A high DNS failure rate can significantly impact network performance and security. It may indicate ongoing malicious activities such as malware communication, data theft, or preparation for larger attacks. These activities can lead to system compromise, data breaches, or network disruptions.

Severity

SeverityCondition
Low
Excessive number of DNS failures

Investigation and Remediation

Investigate the source of the DNS failures by analyzing DNS logs and network traffic. Identify the systems generating these queries and examine them for signs of compromise. Review the queried domain names for patterns indicative of DGAs or other malicious behavior. If malicious activity is confirmed, isolate affected systems, remove any malware, and block communication with suspicious domains.