2011/5/19 minor float <[email protected]> > Dear list readers, on today we officially published our observations > regarding the new attack vector of the DDoS against the DNS servers. > > A full story can be read here http://www.zone-h.org/news/id/4739 > > Here is the excerpt. > > > The attack phases are as follows: > > The attacker obtains the IP address /hostname of the target DNS server. > > The attacker updates the NS records of the pre-registered domain foo > -domain.com with the IP address /hostname of the target DNS > server. Some registrars or hosting providers do not provide this > functionality, many other do. There are known hosting companies > and ISP that are supporting the spam [5]. After the NS records > update the attacker waits at least 24 hours until the new records are > propagated all over the Internet. >
Note that it's not possible with several tld. Eg : fr nic, afinc.net (and I hope some other) checks that an SOA record is present (and much more. See http://www.zonecheck.fr) on the name server before updating NS records in the registry. Now the attacker prepares a spam campaign. There are few aspects to > note: as first, the sender mail address for the MAIL FROM can contain > the same user name, but the subdomain — 3rd level domain must vary > per each spam message (for example first spam message has the > sender james@subdom1.foo-domain.com but the second sender has to > be james@subdom2.foo-domain.com). > > The second important aspect is the selection of the white horse > systems. White horse systems are the SMTP incoming mail servers > with a high bandwidth. > > Once the spam campaign has been started to the white horse systems > using the spam botnet, these systems check on the background > whether the sender’s domain resolves to the domain MX or at least to > an A record. Since the NS record is set to the target DNS server, the > DNS requests will be performed to the target DNS server. > > Target DNS server receives multiple regular DNS requests for the > bogus subdomain records(note that in the previous Denial of > Service attacks against the DNS servers received either malformed, > fragmented, ICMP messages or TCP SYN, with invalid length, or > oversized and some of these can be filtered by the firewalls or > security appliances). Since the DNS server does not have the records > for the foo-domain.com, it has to respond negatively to the > request. If the spam campaign is successful, the white horse > systems flood the DNS server with multiple valid DNS requests. > > Regards > > Jakub Alimov [Seznam.cz] > minor [zone-h.org] > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
