Begin forwarded message:
From: James Braunegg <[email protected]<mailto:[email protected]>> Date: October 15, 2013 at 5:34:08 AM GMT+3 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack Dear All Just thought I’d share some interesting, potentially frightful information with reference to DNS amplification request attacks we have observed. We are now seeing 100’s of targeted IP addresses within the same network AS targeted by 1000’s of IP addresses (all of which are spoofed UDP packets) a network administrators nightmare. Normally we see a DDoS attacks against specific /32 IP address although it would appear the tables are turning to have a more distributed attack towards the targeted network which hosts the /32 service which is being attacked. What we have noticed however is all the attack traffic regardless of the source, distention, targeted URL or query has a common pattern matching signature of \50\fa\00\08\00\01\20 common to every packet generated from this substantial botnet which is frequently published on this amplification attack webpage. http://dnsamplificationattacks.blogspot.com.au/ This pattern is common both if you’re receiving the attack or if your network is participating in the attack, so as long as you can filter each packet based on an exact hex format you have a chance on mitigating the attack traffic. What’s also interesting is whilst open DNS resolvers used to be the common source of DNS amplification older versions of bind are also susceptible to participate in an attack even if open resolving is turned off when a request comes through, as BIND prior to version 9.5 allows root hint servers to be returned even when a REFUSED response is sent. You can disable this by adding `additional_from_cache no;` into BIND's configuration, which has stopped sending root hint servers along with REFUSED status. Hope this information is useful, happy to discuss in more detail if you’re interested ! Kindest Regards James Braunegg P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: [email protected]<mailto:[email protected]> | ABN: 12 109 977 666 W: www.micron21.com/ip-transit<http://www.micron21.com/ip-transit> T: @micron21 [Description: Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. _______________________________________________ AusNOG mailing list [email protected]<mailto:[email protected]> http://lists.ausnog.net/mailman/listinfo/ausnog
<<attachment: image001.jpg>>
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
