[dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

Dobbins, Roland rdobbins at arbor.net
Tue Oct 15 03:58:10 UTC 2013

Begin forwarded message:

From: James Braunegg <james.braunegg at micron21.com<mailto:james.braunegg at micron21.com>>
Date: October 15, 2013 at 5:34:08 AM GMT+3
To: "ausnog at ausnog.net<mailto:ausnog at ausnog.net>" <ausnog at ausnog.net<mailto:ausnog at ausnog.net>>
Subject: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

Dear All

Just thought I’d share some interesting, potentially frightful information with reference to DNS amplification request attacks we have observed.

We are now seeing 100’s of targeted IP addresses within the same network AS targeted by 1000’s of IP addresses (all of which are spoofed UDP packets) a network administrators nightmare.

Normally we see a DDoS attacks against specific /32 IP address although it would appear the tables are turning to have a more distributed attack towards the targeted network which hosts the /32 service which is being attacked.

What we have noticed however is all the attack traffic regardless of the source, distention, targeted URL or query has a common pattern matching signature of \50\fa\00\08\00\01\20 common to every packet generated from this substantial botnet which is frequently published on this amplification attack webpage. http://dnsamplificationattacks.blogspot.com.au/

This pattern is common both if you’re receiving the attack or if your network is participating in the attack, so as long as you can filter each packet based on an exact hex format you have a chance on mitigating the attack traffic.

What’s also interesting is whilst open DNS resolvers used to be the common source of DNS amplification older versions of bind are also susceptible to participate in an attack even if open resolving is turned off when a request comes through, as BIND prior to version 9.5 allows root hint servers to be returned even when a REFUSED response is sent. You can disable this by adding `additional_from_cache no;` into BIND's configuration, which has stopped sending root hint servers along with REFUSED status.

Hope this information is useful, happy to discuss in more detail if you’re interested !

Kindest Regards

James Braunegg
P:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com<mailto:james.braunegg at micron21.com>  |  ABN:  12 109 977 666
W:  www.micron21.com/ip-transit<http://www.micron21.com/ip-transit>    T: @micron21

[Description: Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.

AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131015/20048dce/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: image001.jpg
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131015/20048dce/attachment.jpg>

More information about the dns-operations mailing list