22 Jan
2009
22 Jan
'09
7:28 p.m.
My VPS seems have been also targeted as an unwitting participant in
this attack ...
http://www.merit.edu/mail.archives/nanog/msg14471.html
cod:~# tshark "port domain and (host ns.isprime.com or host ns2.isprime.com)"
Capturing on eth0
0.000000 66.230.160.1 -> 212.13.194.x DNS Standard query NS <Root>
1.142336 66.230.160.1 -> 212.13.194.x DNS Standard query NS <Root>
1.611227 66.230.128.15 -> 212.13.194.x DNS Standard query NS <Root>
2.521652 66.230.160.1 -> 212.13.194.x DNS Standard query NS <Root>
3.615401 66.230.128.15 -> 212.13.194.x DNS Standard query NS <Root>
5.481957 66.230.160.1 -> 212.13.194.x DNS Standard query NS <Root>
5.622538 66.230.128.15 -> 212.13.194.x DNS Standard query NS <Root>
... I think you get the idea.
Until I firewalled [1] these hosts from my DNS server, I was bouncing
back failures to the (legitimate) hosts; apparently the incoming
packets are being spoofed to over 750,000 DNS servers causing the
"real" hosts to get DOS'd by the failure responses (5Gbit of traffic
:S).
Not sure if any one else is experiencing the same issue, (I only
noticed as I run an iftop for other reasons).
~Mat
--
[1]
# iptables -I 1 INPUT -p udp --dport domain -s ns2.isprime.com -j DROP
# iptables -I 1 INPUT -p udp --dport domain -s ns.isprime.com -j DROP
22 Jan
22 Jan
11:41 p.m.
Mat Johns wrote:
My VPS seems have been also targeted as an unwitting
participant in
this attack ...
[snip]
Not sure if any one else is experiencing the same issue, (I only
noticed as I run an iftop for other reasons).
Yeah, saw it on my VPS and on another VPS I run with another provider in
Seattle. Thanks for the heads up, iptables applied with extreme
prejudice :)
-n
23 Jan
23 Jan
5:01 a.m.
Hi,
On Thu, Jan 22, 2009 at 07:28:45PM +0000, Mat Johns wrote:
Until I firewalled [1] these hosts from my DNS server,
I was bouncing
back failures to the (legitimate) hosts
I would encourage you all to firewall off your nameservers as
appropriate. There is typically very little reason to allow the
Internet to talk to your resolver, and there have been a number of
instances recently of people working out how to poison caches and
amplify spoofed DNS traffic.
If you are running a nameserver as an authoritative server then it
would need to be accessible from the Internet (unless hidden
master), but should not be offering recursion.
Thanks for the heads up on this. It spurred me to firewall off
Bitfolk's resolvers, though I need to move .96 to another machine
before I can do that (it returns REFUSED to non-customers for now).
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
10:59 a.m.
Andy Smith wrote:
I would encourage you all to firewall off your
nameservers as
appropriate. There is typically very little reason to allow the
Internet to talk to your resolver, and there have been a number of
instances recently of people working out how to poison caches and
amplify spoofed DNS traffic.
I don't think the current attacks going about matter if it's resolver or
not, as some are poorly configured and return more data then was sent
just with the root list alone.
Make sure your DNS configs are in order as well as firewall configs.
--
Best regards,
Duane
http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Global Communication for the 21st Century
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
12:59 p.m.
On Friday 23 January 2009 10:59:31 Duane at e164 dot org wrote:
Andy Smith wrote:
For BIND 9.3 users, look at setting "additional-from-cache no;" in your
options block. This will return a REFUSED reply instead of the additional
root list for clients who aren't permitted to recurse, massively reducing the
size of the responses.
Not sure about 9.4, but the 9.5 package in Debian Lenny that Andy was running
appeared to do this by default.
--
Dominic Cleal
dominic(a)computerkb.co.uk
I would encourage you all to firewall off your
nameservers as
appropriate. There is typically very little reason to allow the
Internet to talk to your resolver, and there have been a number of
instances recently of people working out how to poison caches and
amplify spoofed DNS traffic.
I don't think the current attacks going about matter if it's resolver or
not, as some are poorly configured and return more data then was sent
just with the root list alone.
Make sure your DNS configs are in order as well as firewall configs.
5811
days inactive
5812
days old
4 comments
5 participants
participants (5)
-
Andy Smith -
Dominic Cleal -
Duane at e164 dot org -
Mat Johns -
William Anderson