[dns-operations] .se being used as seed data in dns attacks
Mark Andrews
Mark_Andrews at isc.org
Thu Aug 10 23:03:48 UTC 2006
> At 11:51 -0700 8/10/06, william(at)elan.net wrote:
> >I've noticed that one of the servers (that is open to public but in
> >limited form which I'm not about to start explaining here) there are
> >'ANY' requests coming for "se". This to me looks like an attempt to
> ...
> >In any case I want to print here results of what se zone looks like,
> >I think its a bit too long even (or especially) for GTLD. ...
>
> Memorable Quotes from Amadeus (1984)
>
> Emperor Joseph II: Your work is ingenious. It's quality work. But
> there are simply too many notes, that's all. Just cut a few and it
> will be perfect.
>
> Mozart: Which few did you have in mind, Majesty?
>
> >I know "se" is trying to be good netizen and be in the front with
> >all the latest technologies, but issue appears to be that its
> >exactly because their zone is being used in this way. This kind-of
> >points out to what can happen if you deploy this all as well...
> >
> >; <<>> DiG 9.2.4 <<>> @<removed> any se
> >;; global options: printcmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51722
> >;; flags: qr rd ra; QUERY: 1, ANSWER: 25, AUTHORITY: 9, ADDITIONAL: 12
>
> Welcome to DNSSEC. That's what DNSSEC is. A lot more bytes and
> records. When I ran dig at the a server:
>
> $ dig @a.ns.se se any +dnssec +bufsize=4096
>
> ; <<>> DiG 9.3.0 <<>> @a.ns.se se any +dnssec +bufsize=4096
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43514
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 25, AUTHORITY: 0, ADDITIONAL: 20
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
>
> ...
>
> ;; SERVER: 192.36.144.107#53(a.ns.se)
> ;; WHEN: Thu Aug 10 15:31:51 2006
> ;; MSG SIZE rcvd: 3991
>
>
> This is why I've pushed back on the notion that open recursive name
> servers are the most evil being on the face of the planet. Sooner or
> later there will be a plethora of authoritative servers to use for
> amplification.
>
> It's not that DNSSEC has a choice. There's no DNSSEC-lite
> alternative that was passed over. Just about any improvement on DNS
> will bloat the answers in one way or another.
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis +1-571-434-5468
> NeuStar
>
> Soccer/Futbol. IPv6. Both have lots of 1's and 0's and have a hard time
> catching on in North America.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
It's also why we have said the deploying BCP 38 is the only
long term solution.
We need to get residential ISPs to get near 100% BCP 38
deployment. That will cut down hugely on the number of
compromised machines that can be used to launch these
attacks.
Similarly with universities. Indivial labs / dorms.
ISP NOC's.
Anywhere that it makes sense.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list