[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

Dr. Daniel Carras dr.astrom42 at gmail.com
Thu Jan 29 04:00:57 GMT 2009


I checked with Simple DNS Pro, and configuring Simple DNS Pro as you 
suggest, is not possible.
http://www.simpledns.com/newsitem.aspx?id=2362

Jon Kibler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dr. Daniel Carras wrote:
>   
>> I'm analyzing the logs now. However, there's not much. All it does is 
>> repeatedly ask for NS-record for <root>
>>
>>     
>
> You are obviously one the the participants in a DDOS attach in which
> your name server is being used as an amplifier. The source IP address
> you are seeing is guaranteed to be forged.
>
> This tells me that you have a SERIOUS misconfiguration of your name
> servers! You should be refusing these queries!!!
>
> For example, if from some point external to your domain, you query on
> your name server, it should behave as follows:
>
> 	$ host -t ns . ns1.YOURNAMESERVER
> 	Using domain server:
> 	Name: ns1.YOURNAMESERVER
> 	Address: a.b.c.d#53
> 	Aliases:
>
> 	Host . not found: 5(REFUSED)
>
>
> If you have query logging on, you should still see queries, but you
> should NEVER return the root hints!!!
>
> PLEASE fix your name servers! It is seriously misconfigured name servers
> like yours that is the cause of this problem. If everyone had properly
> locked down name servers, DDOS attacks such as this would not work. (And
> don't even think of getting me started on network egress filtering!)
>
> For additional details on the type of attack in which you are
> participating, see this and other Handler's Diary entries:
>    http://isc.sans.org/diary.html?n&storyid=5713
>
> See also, recent NANOG archives.
>
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkmBEm8ACgkQUVxQRc85QlNsRACcD2vUTl5DnDeBdiQHnOFmg7G2
> uEwAnA2VbWYh+oBjjq2STkxjz2jvTv8q
> =h9j3
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>   



More information about the Dshield mailing list