[Dshield] ISC# [6656916] & [6137560] Massive DNS attack/Flood - next evolution - phase 2

Stephane Grobety security at admin.fulgan.com
Thu Jan 29 07:35:51 GMT 2009


Of course, it's possible! The very article you link explains you how
to do this!

I've reported that problem to JH Software 5 years ago (in February
2004, to be exact, when I first encountered a DNS amplification attack
that was targeting Simple DNS Plus installations) and they responded
with a fixed version within the week. Any version higher than 3.50.01
will have that option available.

And if you go to the support forums, you'll see several threads about
the issue including one where I explain how you can deal with the log


Thursday, January 29, 2009, 5:00:57 AM, you wrote:

DDC> I checked with Simple DNS Pro, and configuring Simple DNS Pro as you 
DDC> suggest, is not possible.
DDC> http://www.simpledns.com/newsitem.aspx?id=2362

DDC> Jon Kibler wrote:
>> Hash: SHA1
>> Dr. Daniel Carras wrote:
>>> I'm analyzing the logs now. However, there's not much. All it does is 
>>> repeatedly ask for NS-record for <root>
>> You are obviously one the the participants in a DDOS attach in which
>> your name server is being used as an amplifier. The source IP address
>> you are seeing is guaranteed to be forged.
>> This tells me that you have a SERIOUS misconfiguration of your name
>> servers! You should be refusing these queries!!!
>> For example, if from some point external to your domain, you query on
>> your name server, it should behave as follows:
>>       $ host -t ns . ns1.YOURNAMESERVER
>>       Using domain server:
>>       Name: ns1.YOURNAMESERVER
>>       Address: a.b.c.d#53
>>       Aliases:
>>       Host . not found: 5(REFUSED)
>> If you have query logging on, you should still see queries, but you
>> should NEVER return the root hints!!!
>> PLEASE fix your name servers! It is seriously misconfigured name servers
>> like yours that is the cause of this problem. If everyone had properly
>> locked down name servers, DDOS attacks such as this would not work. (And
>> don't even think of getting me started on network egress filtering!)
>> For additional details on the type of attack in which you are
>> participating, see this and other Handler's Diary entries:
>>    http://isc.sans.org/diary.html?n&storyid=5713
>> See also, recent NANOG archives.
>> Jon Kibler
>> - --
>> Jon R. Kibler
>> Chief Technical Officer
>> Advanced Systems Engineering Technology, Inc.
>> Charleston, SC  USA
>> o: 843-849-8214
>> c: 843-224-2494
>> s: 843-564-4224
>> http://www.linkedin.com/in/jonrkibler
>> My PGP Fingerprint is:
>> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>> Version: GnuPG v1.4.8 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>> uEwAnA2VbWYh+oBjjq2STkxjz2jvTv8q
>> =h9j3
>> -----END PGP SIGNATURE-----
>> ==================================================
>> Filtered by: TRUSTEM.COM's Email Filtering Service
>> http://www.trustem.com/
>> No Spam. No Viruses. Just Good Clean Email.

DDC> _______________________________________________
DDC> Dshield mailing list
DDC> Dshield at lists.sans.org
DDC> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list

Best regards,
 Stephane                            mailto:security at admin.fulgan.com

More information about the Dshield mailing list