Re: [dns-operations] First experiments with DNS dampening to fight amplification attacks

2012-10-27 Thread Ralph Babel 
Paul Vixie wrote:

 until cisco makes source address validation the default, we have
 no tools available to thwart ddos, other than clever hacks.

While we may not have any tools to fight DDoS per se, we do
have one to combat _amplification_ attacks: it's called TCP.

Yes, it does come at a cost, but no one said we could cut
corners forever, be it by using UDP DNS outside LANs or by
rate-limiting unvalidated source addresses. (Now why does
this remind me of the DNSSEC debate?)

There's no easy way out, there's no shortcut home ...
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] ATT DNS Cache Poisoning?

2012-10-27 Thread Florian Weimer 
* Tim Huffman:

 Any ideas what I can do to help my customer? This is the first time
 we've ever had something like this...

Have you checked if other domains you host are affected in a similar
way?
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] ATT DNS Cache Poisoning?

2012-10-27 Thread Robert Edmonds 
David Conrad wrote:
 Yep, assuming it is cache poisoning. I'm trying to think of
 alternative explanations, but given reports (e.g., from Frank) that
 the issue is affecting other resolvers, it's hard to see other
 answers. A bit odd, given ben.edu isn't very high up on the Alexa (et
 al) list...

i don't think it's cache poisoning.  note that there are two out-of-zone
nameservers for ben.edu:

Domain Name: BEN.EDU
[...]
Name Servers: 
   NS1.BOBBROADBAND.COM  
   NS2.BOBBROADBAND.COM  

and that bobbroadband.com was updated recently, in the past two days:

Domain Name: BOBBROADBAND.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com/en_US/
Name Server: NS1.BOBBROADBAND.COM
Name Server: NS2.BOBBROADBAND.COM
Status: clientTransferProhibited
Updated Date: 25-oct-2012
Creation Date: 22-oct-2005
Expiration Date: 22-oct-2017

here's what was seen in DNSDB on the same day that bobbroadband.com was
updated in whois:

;;  bailiwick: com.
;;  count: 114
;; first seen: 2012-10-25 11:53:51 -
;;  last seen: 2012-10-25 12:58:03 -
bobbroadband.com. IN NS ns1.pendingrenewaldeletion.com.
bobbroadband.com. IN NS ns2.pendingrenewaldeletion.com.

;;  bailiwick: bobbroadband.com.
;;  count: 2
;; first seen: 2012-10-25 15:08:04 -
;;  last seen: 2012-10-25 15:49:29 -
bobbroadband.com. IN NS ns1432.ztomy.com.
bobbroadband.com. IN NS ns2432.ztomy.com.

taking over the nameservers for bobbroadband.com would thus allow taking
over ben.edu:

;;  bailiwick: ben.edu.
;;  count: 2
;; first seen: 2012-10-25 15:09:49 -
;;  last seen: 2012-10-25 15:58:11 -
ben.edu. IN NS ns1432.ztomy.com.
ben.edu. IN NS ns2432.ztomy.com.

i see the exact same pattern with cooperhealth.edu, and its nameservers,
back in april:

Domain Name: COOPERHEALTH.EDU
[...]
Name Servers: 
   DNS01.CAVTEL.NET  
   DNS02.CAVTEL.NET  

Domain Name: CAVTEL.NET
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com/en_US/
Name Server: DNS01.CAVTEL.NET
Name Server: DNS02.CAVTEL.NET
Status: clientTransferProhibited
Updated Date: 10-apr-2012
Creation Date: 08-apr-1999
Expiration Date: 08-apr-2013

;;  bailiwick: net.
;;  count: 168
;; first seen: 2012-04-10 08:30:35 -
;;  last seen: 2012-04-10 12:34:40 -
cavtel.net. IN NS ns1.pendingrenewaldeletion.com.
cavtel.net. IN NS ns2.pendingrenewaldeletion.com.

;;  bailiwick: cavtel.net.
;;  count: 6
;; first seen: 2012-04-10 14:23:47 -
;;  last seen: 2012-04-12 08:16:30 -
cavtel.net. IN NS ns1432.ztomy.com.
cavtel.net. IN NS ns2432.ztomy.com.

;;  bailiwick: cooperhealth.edu.
;;  count: 2
;; first seen: 2012-04-11 06:52:37 -
;;  last seen: 2012-04-11 20:07:14 -
cooperhealth.edu. IN NS ns1432.ztomy.com.
cooperhealth.edu. IN NS ns2432.ztomy.com.

-- 
Robert Edmonds
edmo...@isc.org
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] ATT DNS Cache Poisoning?

2012-10-27 Thread David Conrad 
Robert,

On Oct 27, 2012, at 1:37 PM, Robert Edmonds edmo...@isc.org wrote:
 i don't think it's cache poisoning.  note that there are two out-of-zone
 nameservers for ben.edu:
...
 and that bobbroadband.com was updated recently,

Good catch! Makes sense.  I checked the history on ben.edu but didn't think to 
check the rest of the delegation tree. D'oh.

Regards,
-drc

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs