[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

Dr. Daniel Carras dr.astrom42 at gmail.com
Wed Feb 4 01:47:19 GMT 2009 

I guess I wasn't clear. I had the recommend settings (for version 3.60) 
and it wasn't working. I couldn't afford the upgrade, and still can't. 
However, this is the first flood (of this scale) that I've experienced, 
on Simple DNS Pro/Plus, in the 8 plus years that I have been using 
Simple DNS.

Stephane Grobety wrote:
> Hello CunningPike,
>
> This is getting a bit tiresome to repeat it: please check your sources
> before you post: that software has been able to block root requests
> from unauthorized network for 5 years. The latest update is a quick
> fix to remove the logging of these requests because of the amount of
> log that was generated.
>
> The only reason it would reply would be if the administrator either
> didn't upgrade for the last past 5 years, made a configuraion mistake
> or failed basic RTFM skills.
>
> You can probably beat Simple DNS plus for a lot of reasons, but this
> isn't one of them.
>
> It might not be clear because I've spent a lot of energy in the last
> past weeks to defend Simple DNS plus against misconceptions and false
> rumors but I'm not working for them. I just like that software and
> have it deployed on several nodes.
>
> Regards,
> Stephane
>
>
>
> Tuesday, February 3, 2009, 9:41:12 AM, you wrote:
>
> C> Check again - they posted an update on January 31. But seriously, if you
> C> are using a DNS that couldn't be configured not to amplify until 3 days
> C> ago, I would change your DNS provider.
>
> C> CP
>
> C> On Wed, 2009-01-28 at 23:00 -0500, Dr. Daniel Carras wrote:
>   
>>> I checked with Simple DNS Pro, and configuring Simple DNS Pro as you 
>>> suggest, is not possible.
>>> http://www.simpledns.com/newsitem.aspx?id=2362
>>>
>>> Jon Kibler wrote:
>>>       
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Dr. Daniel Carras wrote:
>>>>   
>>>>         
>>>>> I'm analyzing the logs now. However, there's not much. All it does is 
>>>>> repeatedly ask for NS-record for <root>
>>>>>
>>>>>     
>>>>>           
>>>> You are obviously one the the participants in a DDOS attach in which
>>>> your name server is being used as an amplifier. The source IP address
>>>> you are seeing is guaranteed to be forged.
>>>>
>>>> This tells me that you have a SERIOUS misconfiguration of your name
>>>> servers! You should be refusing these queries!!!
>>>>
>>>> For example, if from some point external to your domain, you query on
>>>> your name server, it should behave as follows:
>>>>
>>>>     $ host -t ns . ns1.YOURNAMESERVER
>>>>     Using domain server:
>>>>     Name: ns1.YOURNAMESERVER
>>>>     Address: a.b.c.d#53
>>>>     Aliases:
>>>>
>>>>     Host . not found: 5(REFUSED)
>>>>
>>>>
>>>> If you have query logging on, you should still see queries, but you
>>>> should NEVER return the root hints!!!
>>>>
>>>> PLEASE fix your name servers! It is seriously misconfigured name servers
>>>> like yours that is the cause of this problem. If everyone had properly
>>>> locked down name servers, DDOS attacks such as this would not work. (And
>>>> don't even think of getting me started on network egress filtering!)
>>>>
>>>> For additional details on the type of attack in which you are
>>>> participating, see this and other Handler's Diary entries:
>>>>    http://isc.sans.org/diary.html?n&storyid=5713
>>>>
>>>> See also, recent NANOG archives.
>>>>
>>>> Jon Kibler
>>>> - --
>>>> Jon R. Kibler
>>>> Chief Technical Officer
>>>> Advanced Systems Engineering Technology, Inc.
>>>> Charleston, SC  USA
>>>> o: 843-849-8214
>>>> c: 843-224-2494
>>>> s: 843-564-4224
>>>> http://www.linkedin.com/in/jonrkibler
>>>>
>>>> My PGP Fingerprint is:
>>>> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>>>>
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.8 (Darwin)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>>
>>>> iEYEARECAAYFAkmBEm8ACgkQUVxQRc85QlNsRACcD2vUTl5DnDeBdiQHnOFmg7G2
>>>> uEwAnA2VbWYh+oBjjq2STkxjz2jvTv8q
>>>> =h9j3
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>>
>>>>
>>>> ==================================================
>>>> Filtered by: TRUSTEM.COM's Email Filtering Service
>>>> http://www.trustem.com/
>>>> No Spam. No Viruses. Just Good Clean Email.
>>>>
>>>>   
>>>>         
>>> _______________________________________________
>>> Dshield mailing list
>>> Dshield at lists.sans.org
>>> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
>>>       
>
>
>
>

More information about the Dshield mailing list