[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

Dr. Daniel Carras dr.astrom42 at gmail.com
Tue Feb 3 21:07:42 GMT 2009 

I'm planning a move to BIND, but that will take some time. However, I 
did find a work-around that seems to work (since Sunday). It wasn't what 
was listed here or on Simple DNS Pro's site. I also found that the same 
DNS flood, once denied access to the DNS server, would then evolve and 
attack the mail server. Given that the attacks were spoofed ips, if the 
blackhole option was chosen on both servers, you would be blackholing 
the victim; and this may have been the purpose of the attack.

My problem, and potentially for others (given the economic situation), 
the cost of migrating over to a new server (hosted or otherwise) may be 
prohibitive. We, seriously, have to get working on stopping the origins 
of these attacks.


CunningPike wrote:
> Check again - they posted an update on January 31. But seriously, if you
> are using a DNS that couldn't be configured not to amplify until 3 days
> ago, I would change your DNS provider.
>
> CP
>
> On Wed, 2009-01-28 at 23:00 -0500, Dr. Daniel Carras wrote:
>   
>> I checked with Simple DNS Pro, and configuring Simple DNS Pro as you 
>> suggest, is not possible.
>> http://www.simpledns.com/newsitem.aspx?id=2362
>>
>> Jon Kibler wrote:
>>     
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Dr. Daniel Carras wrote:
>>>   
>>>       
>>>> I'm analyzing the logs now. However, there's not much. All it does is 
>>>> repeatedly ask for NS-record for <root>
>>>>
>>>>     
>>>>         
>>> You are obviously one the the participants in a DDOS attach in which
>>> your name server is being used as an amplifier. The source IP address
>>> you are seeing is guaranteed to be forged.
>>>
>>> This tells me that you have a SERIOUS misconfiguration of your name
>>> servers! You should be refusing these queries!!!
>>>
>>> For example, if from some point external to your domain, you query on
>>> your name server, it should behave as follows:
>>>
>>> 	$ host -t ns . ns1.YOURNAMESERVER
>>> 	Using domain server:
>>> 	Name: ns1.YOURNAMESERVER
>>> 	Address: a.b.c.d#53
>>> 	Aliases:
>>>
>>> 	Host . not found: 5(REFUSED)
>>>
>>>
>>> If you have query logging on, you should still see queries, but you
>>> should NEVER return the root hints!!!
>>>
>>> PLEASE fix your name servers! It is seriously misconfigured name servers
>>> like yours that is the cause of this problem. If everyone had properly
>>> locked down name servers, DDOS attacks such as this would not work. (And
>>> don't even think of getting me started on network egress filtering!)
>>>
>>> For additional details on the type of attack in which you are
>>> participating, see this and other Handler's Diary entries:
>>>    http://isc.sans.org/diary.html?n&storyid=5713
>>>
>>> See also, recent NANOG archives.
>>>
>>> Jon Kibler
>>> - --
>>> Jon R. Kibler
>>> Chief Technical Officer
>>> Advanced Systems Engineering Technology, Inc.
>>> Charleston, SC  USA
>>> o: 843-849-8214
>>> c: 843-224-2494
>>> s: 843-564-4224
>>> http://www.linkedin.com/in/jonrkibler
>>>
>>> My PGP Fingerprint is:
>>> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.8 (Darwin)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>
>>> iEYEARECAAYFAkmBEm8ACgkQUVxQRc85QlNsRACcD2vUTl5DnDeBdiQHnOFmg7G2
>>> uEwAnA2VbWYh+oBjjq2STkxjz2jvTv8q
>>> =h9j3
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>>
>>>
>>> ==================================================
>>> Filtered by: TRUSTEM.COM's Email Filtering Service
>>> http://www.trustem.com/
>>> No Spam. No Viruses. Just Good Clean Email.
>>>
>>>   
>>>       
>> _______________________________________________
>> Dshield mailing list
>> Dshield at lists.sans.org
>> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
>>     
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Dshield mailing list
>> Dshield at lists.sans.org
>> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
>>

More information about the Dshield mailing list