[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

Jon Kibler Jon.Kibler at aset.com
Thu Jan 29 02:20:32 GMT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dr. Daniel Carras wrote:
> I'm analyzing the logs now. However, there's not much. All it does is 
> repeatedly ask for NS-record for <root>
>

You are obviously one the the participants in a DDOS attach in which
your name server is being used as an amplifier. The source IP address
you are seeing is guaranteed to be forged.

This tells me that you have a SERIOUS misconfiguration of your name
servers! You should be refusing these queries!!!

For example, if from some point external to your domain, you query on
your name server, it should behave as follows:

	$ host -t ns . ns1.YOURNAMESERVER
	Using domain server:
	Name: ns1.YOURNAMESERVER
	Address: a.b.c.d#53
	Aliases:

	Host . not found: 5(REFUSED)


If you have query logging on, you should still see queries, but you
should NEVER return the root hints!!!

PLEASE fix your name servers! It is seriously misconfigured name servers
like yours that is the cause of this problem. If everyone had properly
locked down name servers, DDOS attacks such as this would not work. (And
don't even think of getting me started on network egress filtering!)

For additional details on the type of attack in which you are
participating, see this and other Handler's Diary entries:
   http://isc.sans.org/diary.html?n&storyidW13

See also, recent NANOG archives.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmBEm8ACgkQUVxQRc85QlNsRACcD2vUTl5DnDeBdiQHnOFmg7G2
uEwAnA2VbWYh+oBjjq2STkxjz2jvTv8q
=h9j3
-----END PGP SIGNATURE-----




=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the Dshield mailing list