[Dshield] ISC#  &  Massive DNS attack/Flood - next evolution - phase 2
Dr. Daniel Carras
dr.astrom42 at gmail.com
Thu Jan 29 04:00:57 GMT 2009
I checked with Simple DNS Pro, and configuring Simple DNS Pro as you
suggest, is not possible.
Jon Kibler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Dr. Daniel Carras wrote:
>> I'm analyzing the logs now. However, there's not much. All it does is
>> repeatedly ask for NS-record for <root>
> You are obviously one the the participants in a DDOS attach in which
> your name server is being used as an amplifier. The source IP address
> you are seeing is guaranteed to be forged.
> This tells me that you have a SERIOUS misconfiguration of your name
> servers! You should be refusing these queries!!!
> For example, if from some point external to your domain, you query on
> your name server, it should behave as follows:
> $ host -t ns . ns1.YOURNAMESERVER
> Using domain server:
> Name: ns1.YOURNAMESERVER
> Address: a.b.c.d#53
> Host . not found: 5(REFUSED)
> If you have query logging on, you should still see queries, but you
> should NEVER return the root hints!!!
> PLEASE fix your name servers! It is seriously misconfigured name servers
> like yours that is the cause of this problem. If everyone had properly
> locked down name servers, DDOS attacks such as this would not work. (And
> don't even think of getting me started on network egress filtering!)
> For additional details on the type of attack in which you are
> participating, see this and other Handler's Diary entries:
> See also, recent NANOG archives.
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> Filtered by: TRUSTEM.COM's Email Filtering Service
> No Spam. No Viruses. Just Good Clean Email.
More information about the Dshield