Re: Recent DNS attacks from China?
On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote: -Original Message- From: rob.vercoute...@kpn.com [mailto:rob.vercoute...@kpn.com] Sent: Wednesday, November 30, 2011 3:05 PM To: matlo...@exempla.org; richard.bar...@gmail.com; andrew.wall...@rocketmail.com Cc: nanog@nanog.org; lel...@taranta.discpro.org Subject: RE: Recent DNS attacks from China? Yes it is, but the problem is that our servers are attacking the so called source address. All the answers are going back to the source. It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains. I still wonder how it is still possible that ip addresses can be spoofed nowadays We're a smaller shop and started receiving these queries last night, roughly 1000 queries per minute or less. We're seeing that the source (victim) addresses are changing every few minutes, the TTLs vary within a given source address, and while most of the source/victim addresses have been Chinese we are seeing a few which are not, such as 74.125.90.83 (Google). The queries are coming in to ns1.traffiq.com (perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which unfortunately gives a 492 byte response. = Rob, Transit providers can bill for the denial of service traffic and they claim it's too expensive to run URPF because of the extra lookup. -Drew
Re: Recent DNS attacks from China?
Yup.. they're all ANY requests. The varying TTLs indicates that they're most likely spoofed. We are also now seeing similar traffic from RFC1918 source addresses trying to ingress our network (but being stopped by our border filters). Looks like the kiddies are playing On 2 Dec 2011, at 16:02, Ryan Rawdon wrote: On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote: -Original Message- From: rob.vercoute...@kpn.com [mailto:rob.vercoute...@kpn.com] Sent: Wednesday, November 30, 2011 3:05 PM To: matlo...@exempla.org; richard.bar...@gmail.com; andrew.wall...@rocketmail.com Cc: nanog@nanog.org; lel...@taranta.discpro.org Subject: RE: Recent DNS attacks from China? Yes it is, but the problem is that our servers are attacking the so called source address. All the answers are going back to the source. It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains. I still wonder how it is still possible that ip addresses can be spoofed nowadays We're a smaller shop and started receiving these queries last night, roughly 1000 queries per minute or less. We're seeing that the source (victim) addresses are changing every few minutes, the TTLs vary within a given source address, and while most of the source/victim addresses have been Chinese we are seeing a few which are not, such as 74.125.90.83 (Google). The queries are coming in to ns1.traffiq.com (perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which unfortunately gives a 492 byte response. = Rob, Transit providers can bill for the denial of service traffic and they claim it's too expensive to run URPF because of the extra lookup. -Drew
Re: Recent DNS attacks from China?
Other than being non-compliant, is an ANY query used by any major software? Could someone rate limit ANY responses to mitigate this particular issue? On Fri, Dec 2, 2011 at 8:17 AM, Leland Vandervort lel...@taranta.discpro.org wrote: Yup.. they're all ANY requests. The varying TTLs indicates that they're most likely spoofed. We are also now seeing similar traffic from RFC1918 source addresses trying to ingress our network (but being stopped by our border filters). Looks like the kiddies are playing On 2 Dec 2011, at 16:02, Ryan Rawdon wrote: On Nov 30, 2011, at 3:12 PM, Drew Weaver wrote: -Original Message- From: rob.vercoute...@kpn.com [mailto:rob.vercoute...@kpn.com] Sent: Wednesday, November 30, 2011 3:05 PM To: matlo...@exempla.org; richard.bar...@gmail.com; andrew.wall...@rocketmail.com Cc: nanog@nanog.org; lel...@taranta.discpro.org Subject: RE: Recent DNS attacks from China? Yes it is, but the problem is that our servers are attacking the so called source address. All the answers are going back to the source. It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains. I still wonder how it is still possible that ip addresses can be spoofed nowadays We're a smaller shop and started receiving these queries last night, roughly 1000 queries per minute or less. We're seeing that the source (victim) addresses are changing every few minutes, the TTLs vary within a given source address, and while most of the source/victim addresses have been Chinese we are seeing a few which are not, such as 74.125.90.83 (Google). The queries are coming in to ns1.traffiq.com (perhaps ns2 also, I haven't checked) and are for traffiq.com/ANY which unfortunately gives a 492 byte response. = Rob, Transit providers can bill for the denial of service traffic and they claim it's too expensive to run URPF because of the extra lookup. -Drew
Re: Recent DNS attacks from China?
Once upon a time, Joel Maslak jmas...@antelope.net said: Other than being non-compliant, is an ANY query used by any major software? Could someone rate limit ANY responses to mitigate this particular issue? I believe qmail still uses ANY lookups. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
RE: Recent DNS attacks from China?
Since it is spoofed traffic we block the source, so not participating in flooding the real ip address. The real issue is verify unicast reverse path not being implemented. So that the ip addresses cannot be spoofed! (unless we are dealing with some major unknown vurlnerabilities in our infrastructure) After a few days we will unblock again. Regards, Rob Vercouteren
Recent DNS attacks from China?
Hi All, I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. Anyone else? Regards, Leland
Re: Recent DNS attacks from China?
Hello Leland, Yes we do see the same behavior! regards, Rob Vercouteren
Re: Recent DNS attacks from China?
There was a new BIND vulnerability announced... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313 -Hammer- I was a normal American nerd -Jack Herer On 11/30/2011 10:59 AM, rob.vercoute...@kpn.com wrote: Hello Leland, Yes we do see the same behavior! regards, Rob Vercouteren
Re: Recent DNS attacks from China?
On Nov 30, 2011, at 9:13 AM, -Hammer- wrote: There was a new BIND vulnerability announced... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313 I strongly suspect the BIND vulnerability is unrelated. These attacks appear to be simple (if large) DDoSes. Regards, -drc
Re: Recent DNS attacks from China?
On Wed, 30 Nov 2011, Leland Vandervort wrote: I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. That might explain akamai.net hostnames not resolving intermittently since Tue Nov 29 20:20:02 2011 UTC... I don't run any authoritative or exposed caches at the moment, and the aka NXDOMAINs are the only thing we've been seeing dropouts on for the past ~48 hours, but we did see NXDOMAINs from a bunch of amazonaws hostnames over the holidays... -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Recent DNS attacks from China?
Just offering it up. It's not a 0day or anything but it is recently published. I am not receiving the DoS so I haven't had a chance to observe the traffic. -Hammer- I was a normal American nerd -Jack Herer On 11/30/2011 11:40 AM, David Conrad wrote: On Nov 30, 2011, at 9:13 AM, -Hammer- wrote: There was a new BIND vulnerability announced... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313 I strongly suspect the BIND vulnerability is unrelated. These attacks appear to be simple (if large) DDoSes. Regards, -drc
Re: Recent DNS attacks from China?
Once upon a time, Leland Vandervort lel...@taranta.discpro.org said: I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. I'm seeing something similar. The requests are to our authoritative servers, and appear to be mostly for a small number of domains at a time (they are all domains we are authoritative for). They are all ANY queries, often repeated for the same domain rapidly. The requests come from one IP at a time, but move to another IP in a minute or two. This does NOT appear to be related to the recent BIND vulnerability. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Recent DNS attacks from China?
Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone. Is country even relevant in the cyberscape? Andrew From: Leland Vandervort lel...@taranta.discpro.org To: nanog@nanog.org Cc: Leland Vandervort lel...@taranta.discpro.org Sent: Wednesday, November 30, 2011 4:32 PM Subject: Recent DNS attacks from China? Hi All, I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. Anyone else? Regards, Leland
Re: Recent DNS attacks from China?
On Wed, 30 Nov 2011 10:24:21 PST, andrew.wallace said: Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone. Is country even relevant in the cyberscape? Reading comprehension, Andrew. Leland never said the Chinese were behind it, he never even said the packets came from China. He said the packet origins were from Chinese IP addresses. And yes, country *is* relevant in the cyberscape. For starters, it defines how much cooperation you'll get in tracking, arresting, and prosecuting the offenders. The US has had a lot more success in apprehending Gary McKinnon than the perpetrators of Titan Rain. It's almost certainly due to the fact that McKinnon was in Glasgow and the Titan Rain people weren't. pgpinZbqmQAQQ.pgp Description: PGP signature
Re: Recent DNS attacks from China?
An attack originating from somewhere indicates the presence of either an attacker or a compromised host. A particular density of either in a particular geographical area would seem like an interesting data point. --Richard On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone. Is country even relevant in the cyberscape? Andrew From: Leland Vandervort lel...@taranta.discpro.org To: nanog@nanog.org Cc: Leland Vandervort lel...@taranta.discpro.org Sent: Wednesday, November 30, 2011 4:32 PM Subject: Recent DNS attacks from China? Hi All, I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. Anyone else? Regards, Leland
RE: Recent DNS attacks from China?
Except in this case it's a DNS attack, which implies UDP based and easily spoofed. The source IP may or may not actually be accurate. Ken From: Richard Barnes [mailto:richard.bar...@gmail.com] Sent: Wed 11/30/2011 11:51 AM To: andrew.wallace Cc: nanog@nanog.org; Leland Vandervort Subject: Re: Recent DNS attacks from China? An attack originating from somewhere indicates the presence of either an attacker or a compromised host. A particular density of either in a particular geographical area would seem like an interesting data point. --Richard On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone. Is country even relevant in the cyberscape? Andrew *** Exempla Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** Exempla Confidentiality Notice ***
RE: Recent DNS attacks from China?
Yes it is, but the problem is that our servers are attacking the so called source address. All the answers are going back to the source. It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains. I still wonder how it is still possible that ip addresses can be spoofed nowadays Rob -Oorspronkelijk bericht- Van: Matlock, Kenneth L [mailto:matlo...@exempla.org] Verzonden: woensdag 30 november 2011 19:57 Aan: Richard Barnes; andrew.wallace CC: nanog@nanog.org; Leland Vandervort Onderwerp: RE: Recent DNS attacks from China? Except in this case it's a DNS attack, which implies UDP based and easily spoofed. The source IP may or may not actually be accurate. Ken From: Richard Barnes [mailto:richard.bar...@gmail.com] Sent: Wed 11/30/2011 11:51 AM To: andrew.wallace Cc: nanog@nanog.org; Leland Vandervort Subject: Re: Recent DNS attacks from China? An attack originating from somewhere indicates the presence of either an attacker or a compromised host. A particular density of either in a particular geographical area would seem like an interesting data point. --Richard On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: Before we see knee-jerk conclusions about who to blame, these attacks could be carried out by anyone. Is country even relevant in the cyberscape? Andrew *** Exempla Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** Exempla Confidentiality Notice ***
RE: Recent DNS attacks from China?
-Original Message- From: rob.vercoute...@kpn.com [mailto:rob.vercoute...@kpn.com] Sent: Wednesday, November 30, 2011 3:05 PM To: matlo...@exempla.org; richard.bar...@gmail.com; andrew.wall...@rocketmail.com Cc: nanog@nanog.org; lel...@taranta.discpro.org Subject: RE: Recent DNS attacks from China? Yes it is, but the problem is that our servers are attacking the so called source address. All the answers are going back to the source. It is huge amplification attacks. (some sort of smurf if you want) The ip addresses are spoofed (We did a capture and saw all different ttl's so coming from behind different hops) And yes we saw the ANY queries for all the domains. I still wonder how it is still possible that ip addresses can be spoofed nowadays = Rob, Transit providers can bill for the denial of service traffic and they claim it's too expensive to run URPF because of the extra lookup. -Drew
Re: Recent DNS attacks from China?
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. I don't know if it's related, but at about the same time USNO reported an attack on their NTP servers. I could easily imagine a piece of malware with a bug that does massive retransmits on both DNS and NTP. --- From: Rich schmidt.r...@gmail.com Newsgroups: comp.protocols.time.ntp Subject: NTP Denial of Service attack 29 November 2011 Date: Tue, 29 Nov 2011 12:44:44 -0800 (PST) Organization: http://groups.google.com NNTP-Posting-Host: 199.211.133.254 USNO is seeing an apparent coordinated denial of service attack on NTP originating with the following IPs: 220.117.53.67; 218.92.115.152; 114.40.28.224; 218.201.21.194. -- At 11 pm EST 29 Nov 2011 the Navy Cyber Defense Operations Command ordered USNO to take NTP servers in Washington, DC offline, and USNO complied. USNO serves more than 3 million clients. This is the first time in 17 years that we have ceased NTP operations. NTP Service from USNO Washington was restored at 30.56 November 2011 UTC. No further information is available for dissemination at this time. -- These are my opinions, not necessarily my employer's. I hate spam.
Re: Recent DNS attacks from China?
I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. I don't know if it's related, but at about the same time USNO reported an attack on their NTP servers. I could easily imagine a piece of malware with a bug that does massive retransmits on both DNS and NTP. I'm seeing DNS-based attacks on a regular basis, typically several per day. Often involving ANY isc.org or ANY ripe.net to get a good amplification. E.g. *right now* an amplification attack against 78.159.111.190. Steinar Haug, Nethelp consulting, sth...@nethelp.no