[dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack
Mukund Sivaraman
muks at isc.org
Tue Oct 15 17:19:20 UTC 2013
On Tue, Oct 15, 2013 at 03:58:10AM +0000, Dobbins, Roland wrote:
> What we have noticed however is all the attack traffic regardless of
> the source, distention, targeted URL or query has a common pattern
> matching signature of \50\fa\00\08\00\01\20 common to every packet
> generated from this substantial botnet which is frequently published
> on this amplification attack
> webpage. http://dnsamplificationattacks.blogspot.com.au/
We don't know where the magic string "\50\fa\00\08\00\01\20" appears in
the packet. I could not quickly find it at the URL above. This sequence
may not have a bad origin. It could be the EDNS0 client-subnet
extension:
50 fa 00 08 00 01 20 SN aa bb cc dd
^^^^^ ^^^^^ ^^^^^ ^^ ^^ ^^^^^^^^^^^
| | | | | `------ client IPv4 address
| | | | `-------------- scope netmask
| | | `----------------- source netmask (0x20 = 32 bits)
| | `--------------------- address family (0x0001 = IPv4)
| `--------------------------- option length
`----------------------- old EDNS0 option code for client subnet
The option code 50fa has been changed now to 8 in
<http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02>,
but you can see this code in older patches to dig:
<http://wilmer.gaa.st/edns-client-subnet/bind-9.7.1-dig-edns-client-subnet.diff>
But we don't know for sure where in the packet this string came from. :)
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 2881 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131015/40f01f11/attachment.sig>
More information about the dns-operations
mailing list