[dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

Damian Menscher damian at google.com
Tue Oct 15 07:42:41 UTC 2013 

I'm curious if anyone knows the significance of that 7-byte string?  They
say it's common to all attack traffic, whether the query or the response,
so that suggests it's the qname.  But it doesn't look like a valid qname to
me, so open resolvers wouldn't respond to it with any amplification.  What
am I missing?

Damian


On Mon, Oct 14, 2013 at 8:58 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:

>
>
> Begin forwarded message:
>
>  *From:* James Braunegg <james.braunegg at micron21.com>
> *Date:* October 15, 2013 at 5:34:08 AM GMT+3
> *To:* "ausnog at ausnog.net" <ausnog at ausnog.net>
> *Subject:* *[AusNOG] Layer 7 - Distrusted Source (within a single AS)
> Distrusted Distention - Denial of Service Attack*
>
>    Dear All****
>
> ** **
>
> Just thought I’d share some interesting, potentially frightful
> information with reference to DNS amplification request attacks we have
> observed.****
>
> ** **
>
> We are now seeing 100’s of targeted IP addresses within the same network
> AS targeted by 1000’s of IP addresses (all of which are spoofed UDP packets)a network administrators nightmare.
> ****
>
> ** **
>
> Normally we see a DDoS attacks against specific /32 IP address although it
> would appear the tables are turning to have a more distributed attack
> towards the targeted network which hosts the /32 service which is being
> attacked.****
>
> ** **
>
> What we have noticed however is all the attack traffic regardless of the
> source, distention, targeted URL or query has a common pattern matching
> signature of \50\fa\00\08\00\01\20 common to every packet generated from
> this substantial botnet which is frequently published on this amplification
> attack webpage. http://dnsamplificationattacks.blogspot.com.au/ ****
>
> ** **
>
> This pattern is common both if you’re receiving the attack or if your
> network is participating in the attack, so as long as you can filter each
> packet based on an exact hex format you have a chance on mitigating the
> attack traffic.****
>
> ** **
>
> What’s also interesting is whilst open DNS resolvers used to be the common
> source of DNS amplification older versions of bind are also susceptible to
> participate in an attack even if open resolving is turned off when a
> request comes through, as BIND prior to version 9.5 allows root hint
> servers to be returned even when a REFUSED response is sent. You can
> disable this by adding `additional_from_cache no;` into BIND's
> configuration, which has stopped sending root hint servers along with
> REFUSED status.****
>
> ** **
>
> Hope this information is useful, happy to discuss in more detail if you’re
> interested !****
>
> ** **
>
> Kindest Regards****
>
> ** **
>
> *James Braunegg
> **P:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03) 9751 7616****
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
> *W:*  www.micron21.com/ip-transit    *T:* @micron21****
>
> ** **
>
>
> [image: Description: Description: Description: Description: M21.jpg]
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.****
>
> ** **
>
> ** **
>
> ** **
>
>  _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131015/a895de0a/attachment.html>

More information about the dns-operations mailing list