[dns-operations] DNS deluge for x.p.ctrc.cc

Ejay Hire ejay.hire at isdn.net
Mon Feb 27 19:39:57 UTC 2006 

For high volume attacks using this vector, the problem comes
with a useful place to mount a clue-by-four.

During our recent attacks, we received a couple of dozen
complaints from other providers about how we were
"attacking" their DNS servers.  Each received the following
reply, or some variant.  I received responses from about
half that they had disabled unnecessary recursion, or with
requests for help.

--- form ---

Hello.

We're not attacking you, some attackers are trying to use
your DNS servers have to attack us!

Explanation

Our 207.65.135.x and 207.65.23.x (and several more ip's now)
have been experiencing a denial of service attack as well.
The attackers are "reflecting" off of public DNS servers,
including yours.  The attacker spoofs our address as the
from address for a dns request, it's processed by your dns
server, and the reply packet(s) are forwarded on to us.

You can STOP and PREVENT your servers from being abused this
way by limiting the IP space they will allow to reply to
recursive queries.

In BIND, use the allow-recursion {} statement to do this.

More information on this type of attack is here.
http://www.dyndns.com/about/company/notify/archives/the_dang
ers_of_open_recursive_dns.html 

Please let me know if we can be of any assistance,
Ejay Hire
ISDN-Net Network Engineer
615-221-5267 (direct)

---

---


> -----Original Message-----
> From: dns-operations-bounces at lists.oarci.net 
> [mailto:dns-operations-bounces at lists.oarci.net] On Behalf
Of 
> Doug Barton
> Sent: Monday, February 27, 2006 1:29 PM
> To: Rob Thomas
> Cc: dns-operations at mail.oarc.isc.org
> Subject: Re: [dns-operations] DNS deluge for x.p.ctrc.cc
> 
> Rob Thomas wrote:
> 
> > These attacks have reached 8Gbps at times, and that sort
of figure
> > does raise eyebrows.  Perhaps we can capitalize on that
and 
> gain some
> > attention to both the problems of DNS amplification
attacks 
> (yes, UDP
> > can be abused in many ways, but not all UDP services
offer a 1:73
> > return on investment) and BCP38.
> > 
> > Thoughts?
> 
> I support the idea of notifying the amplification points.
As 
> you and Rodney
> have pointed out, the messages get at least some positive 
> response, and on
> an objective level, it seems to be the "Right Thing" to
do.
> 
> On another level, I think that there is a marked
difference 
> between this
> issue and *gress filtering. As Rodney pointed out, there
is a 
> real, economic
> incentive for most sites to fix this problem once they've 
> been used as an
> amplifier (particularly given that it's outbound bandwidth

> that will be
> saved if they fix their problems). OTOH, as has been 
> discussed to death on
> NANOG (and I really don't want to reopen here), most
people 
> who are in a
> position to do *gress filtering not only have no economic 
> incentive to do
> so, they frequently have one (or more) to not do so.
> 
> I also agree with Joe and others that fixing the
amplifiers 
> may only be a
> part of the solution. However, it's a good step to take,
and 
> will have other
> tangible benefits. Let me know if there is anything I can
do to help.
> 
> Doug
> 
> -- 
>     If you're never wrong, you're not trying hard enough
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
>

More information about the dns-operations mailing list