[dns-operations] .se being used as seed data in dns attacks

Mark Andrews Mark_Andrews at isc.org
Thu Aug 10 23:03:48 UTC 2006 

> At 11:51 -0700 8/10/06, william(at)elan.net wrote:
> >I've noticed that one of the servers (that is open to public but in
> >limited form which I'm not about to start explaining here) there are
> >'ANY' requests coming for "se". This to me looks like an attempt to
> ...
> >In any case I want to print here results of what se zone looks like,
> >I think its a bit too long even (or especially) for GTLD. ...
> 
> Memorable Quotes from Amadeus (1984)
> 
> Emperor Joseph II: Your work is ingenious. It's quality work. But 
> there are simply too many notes, that's all. Just cut a few and it 
> will be perfect.
> 
> Mozart: Which few did you have in mind, Majesty?
> 
> >I know "se" is trying to be good netizen and be in the front with
> >all the latest technologies, but issue appears to be that its
> >exactly because their zone is being used in this way. This kind-of
> >points out to what can happen if you deploy this all as well...
> >
> >; <<>> DiG 9.2.4 <<>> @<removed> any se
> >;; global options:  printcmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51722
> >;; flags: qr rd ra; QUERY: 1, ANSWER: 25, AUTHORITY: 9, ADDITIONAL: 12
> 
> Welcome to DNSSEC.  That's what DNSSEC is.  A lot more bytes and 
> records.  When I ran dig at the a server:
> 
> $ dig @a.ns.se se any +dnssec +bufsize=4096
> 
> ; <<>> DiG 9.3.0 <<>> @a.ns.se se any +dnssec +bufsize=4096
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43514
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 25, AUTHORITY: 0, ADDITIONAL: 20
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> 
> ...
> 
> ;; SERVER: 192.36.144.107#53(a.ns.se)
> ;; WHEN: Thu Aug 10 15:31:51 2006
> ;; MSG SIZE  rcvd: 3991
> 
> 
> This is why I've pushed back on the notion that open recursive name 
> servers are the most evil being on the face of the planet.  Sooner or 
> later there will be a plethora of authoritative servers to use for 
> amplification.
> 
> It's not that DNSSEC has a choice.  There's no DNSSEC-lite 
> alternative that was passed over.  Just about any improvement on DNS 
> will bloat the answers in one way or another.
> 
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis                                                +1-571-434-5468
> NeuStar
> 
> Soccer/Futbol. IPv6.  Both have lots of 1's and 0's and have a hard time
> catching on in North America.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

	It's also why we have said the deploying BCP 38 is the only
	long term solution.

	We need to get residential ISPs to get near 100% BCP 38
	deployment.  That will cut down hugely on the number of
	compromised machines that can be used to launch these
	attacks.

	Similarly with universities. Indivial labs / dorms.

	ISP NOC's.

	Anywhere that it makes sense.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list