[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2
Stephane Grobety
security at admin.fulgan.com
Tue Feb 3 13:55:20 GMT 2009
Hello CunningPike,
This is getting a bit tiresome to repeat it: please check your sources
before you post: that software has been able to block root requests
from unauthorized network for 5 years. The latest update is a quick
fix to remove the logging of these requests because of the amount of
log that was generated.
The only reason it would reply would be if the administrator either
didn't upgrade for the last past 5 years, made a configuraion mistake
or failed basic RTFM skills.
You can probably beat Simple DNS plus for a lot of reasons, but this
isn't one of them.
It might not be clear because I've spent a lot of energy in the last
past weeks to defend Simple DNS plus against misconceptions and false
rumors but I'm not working for them. I just like that software and
have it deployed on several nodes.
Regards,
Stephane
Tuesday, February 3, 2009, 9:41:12 AM, you wrote:
C> Check again - they posted an update on January 31. But seriously, if you
C> are using a DNS that couldn't be configured not to amplify until 3 days
C> ago, I would change your DNS provider.
C> CP
C> On Wed, 2009-01-28 at 23:00 -0500, Dr. Daniel Carras wrote:
>> I checked with Simple DNS Pro, and configuring Simple DNS Pro as you
>> suggest, is not possible.
>> http://www.simpledns.com/newsitem.aspx?id=2362
>>
>> Jon Kibler wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Dr. Daniel Carras wrote:
>> >
>> >> I'm analyzing the logs now. However, there's not much. All it does is
>> >> repeatedly ask for NS-record for <root>
>> >>
>> >>
>> >
>> > You are obviously one the the participants in a DDOS attach in which
>> > your name server is being used as an amplifier. The source IP address
>> > you are seeing is guaranteed to be forged.
>> >
>> > This tells me that you have a SERIOUS misconfiguration of your name
>> > servers! You should be refusing these queries!!!
>> >
>> > For example, if from some point external to your domain, you query on
>> > your name server, it should behave as follows:
>> >
>> > $ host -t ns . ns1.YOURNAMESERVER
>> > Using domain server:
>> > Name: ns1.YOURNAMESERVER
>> > Address: a.b.c.d#53
>> > Aliases:
>> >
>> > Host . not found: 5(REFUSED)
>> >
>> >
>> > If you have query logging on, you should still see queries, but you
>> > should NEVER return the root hints!!!
>> >
>> > PLEASE fix your name servers! It is seriously misconfigured name servers
>> > like yours that is the cause of this problem. If everyone had properly
>> > locked down name servers, DDOS attacks such as this would not work. (And
>> > don't even think of getting me started on network egress filtering!)
>> >
>> > For additional details on the type of attack in which you are
>> > participating, see this and other Handler's Diary entries:
>> > http://isc.sans.org/diary.html?n&storyid=5713
>> >
>> > See also, recent NANOG archives.
>> >
>> > Jon Kibler
>> > - --
>> > Jon R. Kibler
>> > Chief Technical Officer
>> > Advanced Systems Engineering Technology, Inc.
>> > Charleston, SC USA
>> > o: 843-849-8214
>> > c: 843-224-2494
>> > s: 843-564-4224
>> > http://www.linkedin.com/in/jonrkibler
>> >
>> > My PGP Fingerprint is:
>> > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>> >
>> >
>> > -----BEGIN PGP SIGNATURE-----
>> > Version: GnuPG v1.4.8 (Darwin)
>> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>> >
>> > iEYEARECAAYFAkmBEm8ACgkQUVxQRc85QlNsRACcD2vUTl5DnDeBdiQHnOFmg7G2
>> > uEwAnA2VbWYh+oBjjq2STkxjz2jvTv8q
>> > =h9j3
>> > -----END PGP SIGNATURE-----
>> >
>> >
>> >
>> >
>> > ==================================================
>> > Filtered by: TRUSTEM.COM's Email Filtering Service
>> > http://www.trustem.com/
>> > No Spam. No Viruses. Just Good Clean Email.
>> >
>> >
>>
>> _______________________________________________
>> Dshield mailing list
>> Dshield at lists.sans.org
>> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
--
Best regards,
Stephane mailto:security at admin.fulgan.com
More information about the Dshield
mailing list