Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

[Damian Menscher via dns-operations]

--- Begin Message ---
You say:

There are a great many public resolvers, the best known ones among which
> are operated by the major US corporations that have cornered a large
> proportion of Internet services and are often referred to as “GAFA” (from
> the initials of Google, Amazon, Facebook and Apple), or the “Big Four”.


Could you please share the IPs for the DNS resolvers operated by Amazon,
Facebook, and Apple?  I'm trying to determine whether I'm simply unaware of
those three open recursives (and unable to find them via a search engine),
or if you're simply spreading FUD for political reasons.

Operationally, if you can share the victim IPs (and timestamp in UTC) of
the purported attack either publicly or with law enforcement, such attacks
can sometimes be traced.

Damian

On Mon, Sep 14, 2020 at 6:23 AM Stephane Bortzmeyer 
wrote:

> On 1 and 2 September 2020, several French IAPs (Internet Access
> Providers), including SFR and Bouygues, were "down". Their DNS
> resolvers were offline, and it does indeed seem that this was the
> result of an attack carried out against these resolvers.
>
>
> https://www.afnic.fr/en/resources/blog/about-the-attack-on-french-isps-dns-resolvers.html
>
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

[Keith Mitchell]

On 9/14/20 1:54 PM, Fernando Gont wrote:
> On 14/9/20 10:14, Stephane Bortzmeyer wrote:
>> On 1 and 2 September 2020, several French IAPs (Internet Access
>> Providers), including SFR and Bouygues, were "down". Their DNS
>> resolvers were offline, and it does indeed seem that this was the
>> result of an attack carried out against these resolvers.
>>
>> https://www.afnic.fr/en/resources/blog/about-the-attack-on-french-isps-dns-resolvers.html
> 
> Any more details about the attack? e.e., what vectors they used, etc.?

This report also appears to be relevant, if brief:


https://www.nbip.nl/en/news/report-ddos-attacks-the-state-of-affairs-september-2020/

Keith

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

[Fernando Gont]

On 14/9/20 10:14, Stephane Bortzmeyer wrote:

On 1 and 2 September 2020, several French IAPs (Internet Access
Providers), including SFR and Bouygues, were "down". Their DNS
resolvers were offline, and it does indeed seem that this was the
result of an attack carried out against these resolvers.

https://www.afnic.fr/en/resources/blog/about-the-attack-on-french-isps-dns-resolvers.html


Any more details about the attack? e.e., what vectors they used, etc.?

Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

[Richard Clayton]

In message <20200914131459.ga6...@nic.fr>, Stephane Bortzmeyer
 writes

>On 1 and 2 September 2020, several French IAPs (Internet Access
>Providers), including SFR and Bouygues, were "down". Their DNS
>resolvers were offline, and it does indeed seem that this was the
>result of an attack carried out against these resolvers.

it was a DDoS for ransom attack (and they were not alone in being
attacked in this way) ... viz: it was a volumetric attack against the
servers (no particular DNS aspect to it ...)

this has not especially well documented in the press (most victims have
kept the news to themselves) but small parts of the campaign have been
mentioned from time to time...



-- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755


signature.asc
Description: PGP signature
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

[Stephane Bortzmeyer]

On 1 and 2 September 2020, several French IAPs (Internet Access
Providers), including SFR and Bouygues, were "down". Their DNS
resolvers were offline, and it does indeed seem that this was the
result of an attack carried out against these resolvers.

https://www.afnic.fr/en/resources/blog/about-the-attack-on-french-isps-dns-resolvers.html

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Flag Day’s Resolver Tester: reports all my netblocks wrong

[Jerry Lundström]

Hi Pirawat,

On 2020-09-11 16:23, Pirawat WATANAPONGSE wrote:
> The new Resolver Tester for this year Flag Day reports all my netblocks
> wrong [Reference:
> https://drive.google.com/file/d/1gIf-BFXpBBu7Y03VbJbtpc5p2REOkoLC/view?usp=sharing
> ]

The screenshot is from Check My DNS, which is not related to DNS Flag Day.

The DNS Flag Day 2020 page uses a special domain on Check My DNS that
truncates all UDP requests so that the DNS Flag Day 2020 tester can
check if the request is retransmitted over TCP.

> My 158.108.0.0/16 was already (historically) transferred to APNIC
> [Reference: https://bgp.he.net/net/158.108.0.0/16#_whois]
> and my 2406:3100::/32 is registered directly with APNIC right from the
> start [Reference: https://bgp.he.net/net/2406:3100::/32#_whois]

Check My DNS uses standard WHOIS querying based on prefixes from IANA
and caches the information for a day or so.

158/8 still points at ARIN and the query for 158.108.213.5 will return a
referral to APNIC.

But Check My DNS does not support referrals (yet).

> Obviously, I have to assume that I did make mistake(s). But where and why?
> Please tell me how to fix it.

There are no mistakes, once I have time to add referral support to Check
My DNS it will show the correct information.

Cheers,
Jerry
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] How widely implemented are different DNSSEC algorithms?

[Moritz Muller via dns-operations]

--- Begin Message ---
We publish some numbers on .nl on our stats website:

https://stats.sidnlabs.nl/en/dnssec.html#algorithms%20used

-
Moritz

> On 14 Sep 2020, at 06:59, Arsen STASIC  wrote:
> 
> * John Levine  [2020-09-11 14:29 (-0400)]:
>> Are there any published numbers estimating how well the various DNSSEC
>> algorithms are supported in DNS caches and client software?
>> 
>> Or to put it another way, were I to switch from signing with
>> algorithm 8 to 13, how much would I regret it?
> 
> Geoff Huston from APNIC has some nice graphs on ECDSA support (also in 
> comparison to RSA support) in recursive nameservers:
> 
> https://stats.labs.apnic.net/ecdsa/AU
> https://stats.labs.apnic.net/ecdsa/US
> 
> cheers,
> arsen
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



signature.asc
Description: Message signed with OpenPGP
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations