[dns-operations] Storm on the DNS

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Dec 18 13:18:07 UTC 2015

On Tue, Dec 15, 2015 at 11:17:15AM +0100,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 16 lines which said:

> A discussion on Bruce Schneier's blog
> https://www.schneier.com/blog/archives/2015/12/attack_against_.html

The most WTF comment. Worth a read if you need entertainment today!


Peter • December 17, 2015 9:32 AM

The DNS attack started in November and it is a binary attack that uses
the DNS Port 53 and IANA reserved ports. The first part is
command/executable code installed on DNS servers. The second part is
what is currently causing consternation and that is a memory-resident
attack most current technologies cannot detect and it morphs about
three to four times a day. In the memory attack there are instructions
included that cause the DNS servers to send a quick response to one of
multiple Chinese web sites that have only recently been
registered. Once that happens, the web site sends the memory resident
attack data to the compromised DNS server and that DNS server starts
sending out malware to other DNS servers.

>From what we have determined, all 13 primary DNS servers have been
compromised as well as most of the subordinate DNS systems.

So if you can ... imagine what will happen when whoever is behind
these attacks suddenly decides to tell the DNS systems to turn off and
they all do so simultaneously.

More information about the dns-operations mailing list