On Mon, Feb 20, 2012 at 4:00 PM, Joel jaeggli joe...@bogus.com wrote:
be assigned again, so a static filter policy will return to bite us
again like it always does.
sure, so you are saying there's a timelimit on how long the supposed
ISP can run this infrastructure... and that they have until
On Sun, Feb 19, 2012 at 4:59 AM, Ken Gilmour ken.gilm...@gmail.com wrote:
What happens when the client sends a POST from a cached page on the end
user's machine? E.g. if they post login credentials. Of course, they'll get
the error page, but then you have confidential data in your logs and now
On Tue, 21 Feb 2012 16:29:04 CST, Jimmy Hess said:
Once your user has shared confidential information unsolicited with
an unknown third party, and the general public, the information's
confidentiality was spoiled by the act of posting, regardless of the
content of the information
I see
Here is a repeat
http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/
-henry
From: valdis.kletni...@vt.edu valdis.kletni...@vt.edu
To: Jimmy Hess mysi...@gmail.com
Cc: nanog@nanog.org
Sent: Tuesday, February 21, 2012 3:15 PM
Subject: Re: DNS Attacks
I am a mere user, so I all this stuff sounds to me like giberish.
The right solution is to capture the request to these DNS servers, and
send to a custom server with a static message warning.html. Nothing
fancy. With a phone number to get out of jail, so people can call
to op-out of this
On Mon, 20 Feb 2012 16:38:00 +0100, Tei said:
The right solution is to capture the request to these DNS servers, and
send to a custom server with a static message warning.html.
Not all DNS lookups are for websites. The lookup could be for NTP, or SMTP,
or ssh, or a World of Warcraft server,
On Mon, Feb 20, 2012 at 12:00 PM, valdis.kletni...@vt.edu wrote:
On Mon, 20 Feb 2012 16:38:00 +0100, Tei said:
The right solution is to capture the request to these DNS servers, and
send to a custom server with a static message warning.html.
Not all DNS lookups are for websites. The lookup
On Mon, Feb 20, 2012 at 10:38 AM, Tei oscar.vi...@gmail.com wrote:
I am a mere user, so I all this stuff sounds to me like giberish.
The right solution is to capture the request to these DNS servers, and
send to a custom server with a static message warning.html. Nothing
fancy. With a
On 2/20/12 09:57 , Christopher Morrow wrote:
On Mon, Feb 20, 2012 at 10:38 AM, Tei oscar.vi...@gmail.com wrote:
I am a mere user, so I all this stuff sounds to me like giberish.
The right solution is to capture the request to these DNS servers, and
send to a custom server with a static
On Feb 18, 2012 10:24 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote:
Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
query -- returns the address of a dedicated machine on your network set up
especially for this purpose.
What happens when the client sends a POST
On Feb 19, 2012, at 10:59, Ken Gilmour ken.gilm...@gmail.com wrote:
On Feb 18, 2012 10:24 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote:
Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
query -- returns the address of a dedicated machine on your network set up
On Sun, 19 Feb 2012 13:02:01 +0100, Jeroen Massar said:
Per default most webservers (Apache, nginx, etc) won't log POST
variables, GET variables will be logged (as they are part of the query)
but those should not contain any PII.
Right. They shouldn't. But the security mailing lists have
From ken.gilm...@gmail.com Sun Feb 19 05:04:39 2012
Date: Sun, 19 Feb 2012 11:59:37 +0100
Subject: Re: DNS Attacks
From: Ken Gilmour ken.gilm...@gmail.com
To: Robert Bonomi bon...@mail.r-bonomi.com
Cc: nanog@nanog.org
On Feb 18, 2012 10:24 PM, Robert Bonomi bon...@mail.r-bonomi.com wrote
--
Sent from my smart phone. Please excuse my brevity
On Feb 19, 2012 4:10 p.m., Robert Bonomi bon...@mail.r-bonomi.com wrote:
From ken.gilm...@gmail.com Sun Feb 19 05:04:39 2012
Date: Sun, 19 Feb 2012 11:59:37 +0100
Subject: Re: DNS Attacks
From: Ken Gilmour ken.gilm...@gmail.com
http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html
From: toor li...@1337.mx
To: nanog@nanog.org
Sent: Tuesday, January 17, 2012 9:04 PM
Subject: DNS Attacks
Hi list,
I am wondering if anyone else has seen a large amount of DNS
http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html
Quoting the FBI:
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through
Joel M Snyder joel.sny...@opus1.com wrote;
http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html
Quoting the FBI:
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0
On 1/18/2012 1:45 AM, Leigh Porter wrote:
On 18 Jan 2012, at 05:06, toorli...@1337.mx wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS
queries coming from various IP ranges in China. I have been trying
to find a pattern in the attacks but so far I have come up
On Jan 18, 2012, at 2:45 AM, Leigh Porter wrote:
The firewall is significant because the attacks killed the firewall as it is
rather under specified (not my idea..).
DNS servers (nor any other kind of server, for that matter) should never be
placed behind stateful firewalls - the largest
I agree with Roland on the firewall placement. I add that the attack would
have likely succeeded to exhaust the servers. There is alot of recent ddos
activity on DNS with what looks like legitimate queries. You should also look
at some DOS/ application level protections; Radware and Arbor
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi -
We've been victims of these attacks many a times and more recently
towards our customer dns servers which was rated at ~ 4gbps for a
duration of 30mins.
Tracking the source of an attack is simplified when the source is more
likely to be
]
Sent: Wednesday, January 18, 2012 8:58 AM
To: nanog@nanog.org
Subject: Re: DNS Attacks
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi -
We've been victims of these attacks many a times and more recently towards our
customer dns servers which was rated at ~ 4gbps for a duration of 30mins
@nanog.org
Subject: Re: DNS Attacks
I agree with Roland on the firewall placement. I add that the attack
would have likely succeeded to exhaust the servers. There is alot of
recent ddos activity on DNS with what looks like legitimate queries.
You should also look at some DOS/ application level
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
as it is not *my* firewalls I really don't care what they do ;-)
As you're posting here, it looks like it's become your problem. :-D
Seriously, though, there is no value to
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard n...@foobar.org wrote:
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
as it is not *my* firewalls I really don't care what they do ;-)
As you're posting here, it looks like it's
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard n...@foobar.org wrote:
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
as it is not *my* firewalls I really don't care
On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin s...@cs.columbia.edu wrote:
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard n...@foobar.org wrote:
On 18/01/2012 14:18, Leigh Porter wrote:
Yeah like I say, it wasn't my idea to put
On Jan 18, 2012 8:43 AM, Christopher Morrow morrowc.li...@gmail.com
wrote:
On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin s...@cs.columbia.edu
wrote:
On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard n...@foobar.org
wrote:
On
-Original Message-
From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
Sent: Wednesday, January 18, 2012 11:43 AM
To: Steven Bellovin
Cc: nanog@nanog.org
Subject: Re: DNS Attacks
yup... I think roland and nick (he can correct me, roland I KNOW is saying
this) are basically
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
pattern in the attacks but so far I have come up blank. I am completly
guessing these are possibly DNS amplification attacks but I am not
sure.
In message caljcmpma-gxuerpufeawtgzn4qtvkxjtaefl3d9gc0otvs9...@mail.gmail.com,
toor writes:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
pattern in the attacks but so far I have come up
On Wed, Jan 18, 2012 at 12:04 AM, toor li...@1337.mx wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
china is a big country
pattern in the attacks but so far I have come up blank. I
On 18 Jan 2012, at 05:06, toor li...@1337.mx wrote:
Hi list,
I am wondering if anyone else has seen a large amount of DNS queries
coming from various IP ranges in China. I have been trying to find a
pattern in the attacks but so far I have come up blank. I am completly
guessing these are
; lel...@taranta.discpro.org
Subject: RE: Recent DNS attacks from China?
Yes it is, but the problem is that our servers are attacking the so called
source address. All the answers are going back to the source. It is huge
amplification attacks. (some sort of smurf if you want) The ip addresses
...@rocketmail.com
Cc: nanog@nanog.org; lel...@taranta.discpro.org
Subject: RE: Recent DNS attacks from China?
Yes it is, but the problem is that our servers are attacking the so called
source address. All the answers are going back to the source. It is huge
amplification attacks. (some sort of smurf
Subject: RE: Recent DNS attacks from China?
Yes it is, but the problem is that our servers are attacking the so
called source address. All the answers are going back to the source. It
is huge amplification attacks. (some sort of smurf if you want) The ip
addresses are spoofed (We did
Once upon a time, Joel Maslak jmas...@antelope.net said:
Other than being non-compliant, is an ANY query used by any major
software? Could someone rate limit ANY responses to mitigate this
particular issue?
I believe qmail still uses ANY lookups.
--
Chris Adams cmad...@hiwaay.net
Systems and
Since it is spoofed traffic we block the source, so not participating in
flooding the real ip address.
The real issue is verify unicast reverse path not being implemented. So that
the ip addresses cannot be spoofed!
(unless we are dealing with some major unknown vurlnerabilities in our
Hi All,
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS for periods of 5 to 10 mins, repeated every 20
Hello Leland,
Yes we do see the same behavior!
regards,
Rob Vercouteren
There was a new BIND vulnerability announced...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/30/2011 10:59 AM, rob.vercoute...@kpn.com wrote:
Hello Leland,
Yes we do see the same behavior!
regards,
Rob Vercouteren
On Nov 30, 2011, at 9:13 AM, -Hammer- wrote:
There was a new BIND vulnerability announced...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313
I strongly suspect the BIND vulnerability is unrelated. These attacks appear
to be simple (if large) DDoSes.
Regards,
-drc
On Wed, 30 Nov 2011, Leland Vandervort wrote:
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS
Just offering it up. It's not a 0day or anything but it is recently
published. I am not receiving the DoS so I haven't had a chance to
observe the traffic.
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/30/2011 11:40 AM, David Conrad wrote:
On Nov 30, 2011, at 9:13 AM, -Hammer-
Once upon a time, Leland Vandervort lel...@taranta.discpro.org said:
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
...@taranta.discpro.org
Sent: Wednesday, November 30, 2011 4:32 PM
Subject: Recent DNS attacks from China?
Hi All,
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs
On Wed, 30 Nov 2011 10:24:21 PST, andrew.wallace said:
Before we see knee-jerk conclusions about who to blame, these attacks could
be carried out by anyone. Is country even relevant in the cyberscape?
Reading comprehension, Andrew. Leland never said the Chinese were behind it,
he never even
Vandervort lel...@taranta.discpro.org
Sent: Wednesday, November 30, 2011 4:32 PM
Subject: Recent DNS attacks from China?
Hi All,
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash
@nanog.org; Leland Vandervort
Subject: Re: Recent DNS attacks from China?
An attack originating from somewhere indicates the presence of either
an attacker or a compromised host. A particular density of either in
a particular geographical area would seem like an interesting data
point.
--Richard
On Wed
: woensdag 30 november 2011 19:57
Aan: Richard Barnes; andrew.wallace
CC: nanog@nanog.org; Leland Vandervort
Onderwerp: RE: Recent DNS attacks from China?
Except in this case it's a DNS attack, which implies UDP based and easily
spoofed. The source IP may or may not actually be accurate.
Ken
-Original Message-
From: rob.vercoute...@kpn.com [mailto:rob.vercoute...@kpn.com]
Sent: Wednesday, November 30, 2011 3:05 PM
To: matlo...@exempla.org; richard.bar...@gmail.com;
andrew.wall...@rocketmail.com
Cc: nanog@nanog.org; lel...@taranta.discpro.org
Subject: RE: Recent DNS attacks
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS for periods of 5 to 10 mins, repeated every 20 to 30
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS for periods of 5 to 10 mins, repeated every 20 to 30
On Thu, Aug 14, 2008 at 10:07:30AM -0700, Mike Leber wrote:
FYI. There was some question here about whether PowerDNS was vulnerable
or not and what it was doing, so I asked Bert Hubert about it. Here is
his answer:
And my additional nuance:
By the way - just to nuance things, I'm sure
Joe Greco wrote:
6) Have someone explain to me the reasoning behind allowing the corruption
of in-cache data, even if the data would otherwise be in-baliwick. I'm
not sure I quite get why this has to be. It would seem to me to be safer
to discard the data. (Does not eliminate the
In a message written on Mon, Aug 11, 2008 at 09:41:54AM -0500, Jack Bates wrote:
7) Have someone explain to me the repeated claims I've seen that djbdns and
Nominum's server are not vulnerable to this, and why that is.
PowerDNS has this to say about their non-vulnerability status:
Leo Bicknell wrote:
If your vendor told you that you are not at risk they are wrong,
and need to go re-read the Kaminski paper. EVERYONE is vunerable,
the only question is if the attack takes 1 second, 1 minute, 1 hour
or 1 day. While possibly interesting for short term problem
management none
* Joe Greco:
I am very, very, very disheartened to be shown to be wrong. As if 8 days
wasn't bad enough, a concentrated attack has been shown to be effective in
10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html
Note that the actual bandwidth utilization on that GE link
It's usually interesting to be proven wrong, but perhaps not in this case.
I was among the first to point out that the 11-second DNS poisioning claim
made by Vixie only worked out to about a week of concentrated attack after
the patch. This was a number I extrapolated purely from Paul's
[EMAIL PROTECTED] (Joe Greco) writes:
I am very, very, very disheartened to be shown to be wrong. As if 8 days
wasn't bad enough, a concentrated attack has been shown to be effective in
10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html
that's what theory predicted.
On Aug 9, 2008, at 6:23 PM, Paul Vixie wrote:
second, please think carefully about the word severe. any time
someone
can cheerfully hammer you at full-GigE speed for 10 hours, you've
got some
trouble, and you'll need to monitor for those troubles. 11 seconds of
10MBit/sec fit my definition
61 matches
Mail list logo