[dns-operations] Queries for isc.org/ANY/IN

Mark Andrews marka at isc.org
Tue Jan 17 23:24:09 UTC 2012 

In message <4F156A27.800 at pernau.at>, Klaus Darilion writes:
> 
> 
> On 17.01.2012 10:40, Mark Andrews wrote:
> > In message<4F15321A.1020003 at pernau.at>, Klaus Darilion writes:
> >> Hi all!
> >>
> >> I can confirm this. We see peaks of around 2000q/s on our Anycast DNS
> >> servers (2nd level authoritive name servers). Peaks are usually 2-3
> >> minutes, sometimes also 2-3 hours. During a peak all the requests come
> >> from the same (spoofed) source IP.
> >>
> >> The queries are ANY/IN for arbitrary (existing) domains with "recursion
> >> desired" flag set. Usually we have the peaks in Singapore and Los
> >> Angeles, whereas sometimes Singapore swaps to our Frankfurt node. Thus,
> >> I think the attacker's bots are mainly located in Asia.
> >>
> >> regards
> >> Klaus
> >
> > You should use these to work out where BCP 38 filters are not in
> > place and then fix.  If it from a peer then get them to fix and
> > de-peer.  If it is from a transit provide they should be enforcing
> > BCP 38 as part of their peering agreements and if not find a transit
> > provider that does.
> >
> > BCP 38 is over a decade old at this point.  There is NO excuse any
> > longer.
> 
> Seems no one is worrying about excuses at all.
> 
> I did some test with spoofing src-IP addresses from our anycast nodes. 
> Some ISPs filter bogon src IPs, some use Loose Reverse Path Forwarding, 
> but from all nodes (6 different ISPs) I can spoof IP addresses from 
> currently used prefixes (seems nobody uses Strict or Feasible Path 
> Reverse Path Filtering). Also large carriers like L3 or HE seem not to 
> filter.
> 
> Sure I can complain to our ISP, but if they receive spoofed traffic from 
> their upstream providers I don't think they have enough strength to 
> force their upstreams for better filtering.
> 
> Sure it would be nice if all ISPs would filter spoofed packets, but I do 
> not think that it would be feasible with proper laws that force the ISPs 
> to do that.
> 
> regards
> Klaus
> 
> PS: Sending spoofed ICMP packets to www.isc.org works fine

Perhap you should let the list know who your ISP is so we can all
know NOT to purchase services from them.  You should be insisting
that your ISP protect you from their other customers pretending to
be you.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list