gpg: Signature made Wed Jan 9 13:34:00 2013 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi,
Yesterday morning we were notified via abuse report that two
customer VPSes had participated in distributed denial of service
attack on a remote site.
The vector of attack was to abuse the customer's recursive
nameserver with forged queries for a large record in the DNS,
turning a 78 byte query into a 4KiB response - 52x amplification of
traffic. Each customer only contributed around 800kbit/sec to the
attack, but many thousands of insecure resolvers will have been
abused in total.
Firewall rules were put in place on BitFolk's side to deny UDP port
53 access to the customer's VPSes and customers were contacted to
arrange for correction of their configuration.
A full scan of BitFolk IP space was then undertaken and one more
customer with an insecure resolver was discovered. In this case
rather than the usual installation of BIND, it turned out to be
dnsmasq. They have since corrected this.
I would like to take this opportunity to remind those operating
nameservers on their VPSes that recursion should only be offered to
trusted hosts, not the entire Internet. Allowing arbitrary hosts to
issue recursive queries can lead to participation in DDoS attacks
(as seen here) and other unpleasant outcomes. For these reasons open
recursive nameservers are not permitted on BitFolk's network.
https://bitfolk.com/orns.html
Cheers,
Andy
About this email:
https://tools.bitfolk.com/wiki/Security_incident_postings
--
http://bitfolk.com/ -- No-nonsense VPS hosting
